Clarify that blocking on user-agents is not allowed

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code

https://github.com/oasis-tcs/csaf

Other

147 stars 39 forks source link

Clarify that blocking on user-agents is not allowed #635

Open tschmidtb51 opened 1 year ago

tschmidtb51 commented 1 year ago

We came across a situation where a ~Web Application Firewall~ CDN blocked the automatic retrieval of the PMD and CSAF files. Given the reasoning in https://github.com/csaf-poc/csaf_distribution/issues/376#issuecomment-1611571389 IMHO CSAF 2.0 already prohibits restricting the user-agent as it contradicts the intended usage.

Nevertheless, we should clearly state, that restricting the user-agent to a specific value (or set of values) is not allowed as it hinders the implementation of tools.

sthagen commented 1 year ago

During the 2023-09-27 meeting of the TC the members approved the motion to clearly state in the v2.1 CSAF with an explicit statement that such blocking is not allowed and also add that statement to the FAQs.

tschmidtb51 commented 5 months ago

Todo:

[x] add requirement to CSAF 2.1
[ ] add security consideration to CSAF 2.1
[ ] add FAQ to CSAF 2.0