[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Thoughts on Content Security Policy?

From: Terri Oda <terri@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] Thoughts on Content Security Policy?
Date: Fri, 03 Jul 2009 17:37:08 -0400

bugtraq@xxxxxxxxxxxxxxx wrote:

So yeah, the basic idea has a lot of merit, but as the proposal stands right now, I'm not sure it can gain the necessary traction to make it useful.
More work is needed for sure, such things aren't to be taken lightly or implemented to quickly without properly factoring in all the messed up use cases that exist.

For sure -- and I'm really glad to see lots of good comments moving CSP forwards, even if I'm not ready to give it a hearty endorsement myself!

I'm going to disagree about not doing early implementations, though. As long as you're willing to throw away early implementations when better designs come along, there's a lot to be gained from testing stuff out on real web pages before the design is completely firm. We found this when implementing SOMA, which is superficially similar to the early version of CSP when it was still called "Site Security Policy."


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Prev by Date: Re: [WEB SECURITY] JSReg: Javascript based RegExp sandbox
Next by Date: [WEB SECURITY] SOMA (a simple way of mitigating cross site scripting/cross site request forgery)
Previous by thread: Re: [WEB SECURITY] JSReg: Javascript based RegExp sandbox
Next by thread: [WEB SECURITY] SOMA (a simple way of mitigating cross site scripting/cross site request forgery)
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site