W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

RE: Scope and complexity (was Re: More on XSS mitigation)

From: Steingruebl, Andy <asteingruebl@paypal-inc.com>
Date: Tue, 25 Jan 2011 09:48:57 -0700
To: Gervase Markham <gerv@mozilla.org>, Adam Barth <w3c@adambarth.com>
CC: Lucas Adamski <lucas@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEB1A26C173@DEN-MEXMS-001.corp.ebay.com>
> -----Original Message-----
> From: public-web-security-request@w3.org [mailto:public-web-security-
> request@w3.org] On Behalf Of Gervase Markham
> 
> However, that's definitely a debateable point. If you make CSP to hard to
> adopt, fewer people will use it full stop - and so not get XSS protection, or
> any other protections. Allowing 'inline-src' makes the adoption curve for CSP
> less steep. Yes, some people will stop half way up the curve; but I would
> suggest that a less steep curve means that more people will persevere to the
> top.

CSP isn't only useful for stopping XS either.  It can be a policy enforcement for where scripts can come from.  Just like it can control framing, which isn't really about XSS either.   I think it would be a lot less useful if it didn't include those capabilities/functions, as those are some of my major initial use cases.

- Andy
Received on Tuesday, 25 January 2011 16:49:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 25 January 2011 16:49:36 GMT