W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: Scope and complexity (was Re: More on XSS mitigation)

From: Gervase Markham <gerv@mozilla.org>
Date: Tue, 25 Jan 2011 14:49:37 +0000
Message-ID: <4D3EE301.6000605@mozilla.org>
To: Adam Barth <w3c@adambarth.com>
CC: Lucas Adamski <lucas@mozilla.com>, public-web-security@w3.org
On 24/01/11 23:50, Adam Barth wrote:
> To pick on one example, adding "inline" as script-src is disaster
> for security, yet its temping enough that a number of folks who've
> I've seen try to use CSP decide to add it.  IMHO, CSP would be better
> at mitigating XSS without the "inline" option for "script-src".

Well, if you don't use the 'inline' option, of course CSP is better at 
mitigating XSS ;-)

I think you mean: "CSP would mitigate more XSS attacks if the 'inline' 
option for 'script-src' were not a part of the spec and not implemented."

However, that's definitely a debateable point. If you make CSP to hard 
to adopt, fewer people will use it full stop - and so not get XSS 
protection, or any other protections. Allowing 'inline-src' makes the 
adoption curve for CSP less steep. Yes, some people will stop half way 
up the curve; but I would suggest that a less steep curve means that 
more people will persevere to the top.

Gerv
Received on Tuesday, 25 January 2011 14:50:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 25 January 2011 14:50:26 GMT