Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't Be Evil Sandbox v1 #191

Open
larrysalibra opened this issue Nov 27, 2019 · 4 comments
Assignees

Comments

@larrysalibra
Copy link
Member

@larrysalibra larrysalibra commented Nov 27, 2019

As many of you know, we introduced the Can’t Be Evil Sandbox late last month at the 2019 Blockstack Summit in San Francisco. Two weeks ago, we shipped the developer preview of our New Internet Extension which implements v1 of the Can’t Be Evil Sandbox. It prohibits two types of app behavior that have been problematic for user privacy: cookies and automatically loading 3rd party assets such as images and scripts from other people's servers. You can read more about it here.

image

We propose the following scoring:

Cookies

  • Uses cookies: 0 points
  • Does not use cookies: 1 point

Use of cookies is defined as either a server trying to set cookies in the user’s browser or code running in the user’s browser trying to send cookies with a request. We will erase cookies. Cookies that existed prior to each round of testing will be erased from browsers used in testing.

3rd party resources

  • Uses 3rd party resources: 0 points
  • Does not use 3rd party resources: 1 point

3rd party resources are defined as any requests to app origins that are not self origin as defined by Content Security Policy (CSP) specifications. Requests that fall under the CSP policy connect-src are allowed for all origins and explicitly exempt from this run under v1 of the Can’t Be Evil Sandbox.

Opts-in to Can’t Be Evil Sandbox

  • No: 0 points
  • Yes: 1 point

Apps opt-in to the latest version of the Can’t Be Evil Sandbox by setting the can't-be-evil header to true. Opting in means that the New Internet Extension and other user agents that support the Can’t Be Evil Sandbox will enforce the rules instead of merely reporting violations.

A dry run of this new criteria will be conducted during the app review period that begins on December 1, 2019 (November 2019 cohort).

See the following forum issue for other proposed scoring and policy changes: https://forum.blockstack.org/t/november-2019-nil-scoring-proposals/9494?u=larry

@qqnoname

This comment has been minimized.

Copy link

@qqnoname qqnoname commented Nov 27, 2019

About 3rd party resources - apps that are using Sentry, Bugsnag, Instabug, or any similar tool to get info about bugs will get a lower score than apps that do not care about bugs? Maybe we need to create a list of 3rd party resources that are allowed?

@wilsonbright

This comment has been minimized.

Copy link

@wilsonbright wilsonbright commented Nov 27, 2019

@larrysalibra would like to hear your thoughts on the timing of open-sourcing the apps. I'm working towards making BlockSurvey a SaaS platform, would making the product open at an early stage a risk for doing business?

@larrysalibra

This comment has been minimized.

Copy link
Member Author

@larrysalibra larrysalibra commented Nov 28, 2019

About 3rd party resources - apps that are using Sentry, Bugsnag, Instabug, or any similar tool to get info about bugs will get a lower score than apps that do not care about bugs? Maybe we need to create a list of 3rd party resources that are allowed?

v1 of the Can't Be Evil sandbox doesn't prohibit programmatically sending information - ie bug reports - to 3rd parties. Package any code your app needs with the app and you shouldn't have any issues.

@hdriqi

This comment has been minimized.

Copy link

@hdriqi hdriqi commented Dec 3, 2019

@larrysalibra loading image from blockstack gaia is also a 3rd party use. so do we need to proxy every request?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.