W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 21 Jan 2011 20:32:02 -0800
Message-ID: <AANLkTikQgvQhY07QZC-uLiq=S-RDPX-U-nQbqHB6sK5i@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, public-web-security@w3.org
On Fri, Jan 21, 2011 at 8:10 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 1/21/11 7:42 PM, Adam Barth wrote:
>> On Fri, Jan 21, 2011 at 6:21 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>>> I'd be perfectly happy to add [...]
>> [...]
>>> That can be added to CSP quite easily [...]
>>
>> I guess, from my perspective, the more interesting discussion is about
>> what to remove, not about what to add.  My main sadness about CSP is
>> that it is too large and too complex.  Adding more bells and whistles
>> exacerbates that sadness.
>
> "bells and whistles"? Those seemed to be main points of your
> counter-proposal. They weren't things you were proposing to remove
> from CSP, they were things both proposals do that you wanted done
> differently.

The main point of my counter-proposal is to focus on XSS mitigation
first and to defer building out features for other benefits that we
might get from security policies.  If we can agree that's a reasonable
scope, then I suspect coming to agreement about the remaining details
won't be that hard.

> At least the <meta> point was. Lacking context I'm guessing the
> other snip was in response to mz's URI vs origin suggestion. That's
> not something I want to add, but the syntax is purposefully flexible
> and if consensus says that's a better granularity for control
> there's no reason CSP couldn't do that.

I'm not too worried about the syntax for what's allowed or disallowed.
 There are a bunch of options, many of which can do the job.  Once we
agree on a scope, we can go through the options and weigh the
trade-offs.

Adam
Received on Saturday, 22 January 2011 04:33:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 22 January 2011 04:33:09 GMT