W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sun, 23 Jan 2011 21:47:24 -0800
Message-ID: <AANLkTi=uEaGv=KJOdRBXgTkne5qN18MjQdQtzctDYtsg@mail.gmail.com>
To: John Wilander <john.wilander@owasp.org>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, gaz Heyes <gazheyes@gmail.com>, Gervase Markham <gerv@mozilla.org>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
>    Where am I going with this? Well, we should implement a PoC policy
> generator and run it on some fairly large websites before we nail the

I would also add developing policies for common applications like
Drupal, WordPress, MediaWiki etc. We tried to develop a CSP policy for
BugZilla and it seemed too much work to do it without enabling
inline-scripts.

> We Mustn't Spoil Performance

This is something I have been concerned about for a while now. If you
look at Youtube, a good target for CSP deployment imo, then it has a
bunch of inline-scripts inside the HTML content that they use for
timing measurement and performance testing. It seems that CSP would
just take this away since adding a <script src='blahblah'> is
impractical from a performance perspective.

-devdatta
Received on Monday, 24 January 2011 05:48:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 24 January 2011 05:48:18 GMT