W3C home > Mailing lists > Public > public-web-security@w3.org > August 2011

Re: lcamtuf on the subtle/deadly problem with CSP

From: Paul McMillan <paul@mcmillan.ws>
Date: Tue, 30 Aug 2011 15:58:56 -0700
Message-ID: <CAO_YWRUkLbWs+0JjC29JTrCp_ONm_=7wvoB4av0QTecGxhou-Q@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
> This isn’t a new idea, but I am curious to hear the opinions on the topic
> from the readers on this list.  How important is this kind of attack to real
> world applications?  Are real world web applications stable and well-defined
> enough to be identified in a more granular way?

It depends on the scale of your application. There is a wide swath of
real-world applications that will benefit greatly from this level of
granularity. Companies that provide one main service on a single
domain will benefit greatly. Open source projects deployed by amateurs
will benefit greatly if this can be rolled out cleanly. There are some
organizations which will have trouble fitting their infrastructure
into this model.
Received on Wednesday, 31 August 2011 16:00:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 31 August 2011 16:00:17 GMT