- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Sun, 23 Jan 2011 21:47:24 -0800
- To: John Wilander <john.wilander@owasp.org>
- Cc: Michal Zalewski <lcamtuf@coredump.cx>, gaz Heyes <gazheyes@gmail.com>, Gervase Markham <gerv@mozilla.org>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
> Where am I going with this? Well, we should implement a PoC policy > generator and run it on some fairly large websites before we nail the I would also add developing policies for common applications like Drupal, WordPress, MediaWiki etc. We tried to develop a CSP policy for BugZilla and it seemed too much work to do it without enabling inline-scripts. > We Mustn't Spoil Performance This is something I have been concerned about for a while now. If you look at Youtube, a good target for CSP deployment imo, then it has a bunch of inline-scripts inside the HTML content that they use for timing measurement and performance testing. It seems that CSP would just take this away since adding a <script src='blahblah'> is impractical from a performance perspective. -devdatta
Received on Monday, 24 January 2011 05:48:17 UTC