W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 21 Jan 2011 20:10:48 -0800
Message-ID: <4D3A58C8.9020901@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: Michal Zalewski <lcamtuf@coredump.cx>, public-web-security@w3.org
On 1/21/11 7:42 PM, Adam Barth wrote:
> On Fri, Jan 21, 2011 at 6:21 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>> I'd be perfectly happy to add [...]
> [...]
>> That can be added to CSP quite easily [...]
> 
> I guess, from my perspective, the more interesting discussion is about
> what to remove, not about what to add.  My main sadness about CSP is
> that it is too large and too complex.  Adding more bells and whistles
> exacerbates that sadness.

"bells and whistles"? Those seemed to be main points of your
counter-proposal. They weren't things you were proposing to remove
from CSP, they were things both proposals do that you wanted done
differently.

At least the <meta> point was. Lacking context I'm guessing the
other snip was in response to mz's URI vs origin suggestion. That's
not something I want to add, but the syntax is purposefully flexible
and if consensus says that's a better granularity for control
there's no reason CSP couldn't do that.

-Dan Veditz
Received on Saturday, 22 January 2011 04:11:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 22 January 2011 04:12:00 GMT