Intent to ship: `script-sample` property for CSP reports

262 views
Skip to first unread message

Andy Paicu

unread,
Mar 23, 2017, 6:14:14 AM3/23/17
to blin...@chromium.org

Contact emails

mk...@chromium.org

andy...@chromium.org 


Spec

https://w3c.github.io/webappsec-csp/#deprecated-serialize-violation


Summary

Firefox has shipped a `script-sample` property in CSP violation reports since their initial implementation, while other browsers have not done the same for various reasons outlined in the thread at https://lists.w3.org/Archives/Public/public-webappsec/2016Oct/0016.html. The `script-sample` property attempts to reach concensus on an opt-in variant Firefox's behavior. In short, we'll collect a 40-character sample for inline script and style violations, and include it in the violation report (and associated SecurityPolicyViolationEvent object) iff a 'report-sample' expression is present in the violated directive. 

That is, given:

    script-src 'nonce-abc' 'report-sample'

and:

    <script>alert(1);</script>

The violation report would include:

    {
      ...
      "script-sample": "alert(1);"
    }

Motivation

Artur (CC'd) lays out the Google security team's perspective on samples in violation reports at https://github.com/w3c/webappsec-csp/issues/119#issue-179078142: without a sample, detecting and eliminating inline script violations is practically impossible. This is a request I've heard echoed from basically everyone else who collects violation reports at scale. 


Interoperability and Compatibility Risk

The main risk here is that the proposal doesn't exactly match what Firefox has shipped. The key distinctions are:

1. This approach requires opt-in from the site, via a new `'report-sample'` expression in the relevant directive.

2. We're including inline style violations as well.


Firefox seems fine with these changes, they aren't prioritizing implementing them but they are not opposed either.


Edge: No signals.

Firefox: Shipped.

Safari: No signals.

Web developers: Positive.


Ongoing technical constraints

None.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes.


OWP launch tracking bug

https://crbug.com/606774

Link to entry on the feature dashboard

https://www.chromestatus.com/feature/5792234276388864


Requesting approval to ship?

Yes.

TAMURA, Kent

unread,
Mar 27, 2017, 9:52:00 PM3/27/17
to Andy Paicu, blin...@chromium.org
LGTM1
--
TAMURA Kent
Software Engineer, Google


Dimitri Glazkov

unread,
Mar 28, 2017, 10:34:36 AM3/28/17
to TAMURA, Kent, Andy Paicu, blin...@chromium.org
LGTM2

Jochen Eisinger

unread,
Mar 28, 2017, 10:55:44 AM3/28/17
to Dimitri Glazkov, TAMURA, Kent, Andy Paicu, blin...@chromium.org
lgtm3
Reply all
Reply to author
Forward
0 new messages