W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: Scope and complexity (was Re: More on XSS mitigation)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 25 Jan 2011 12:31:15 -0800
Message-ID: <4D3F3313.4010703@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: Gervase Markham <gerv@mozilla.org>, Lucas Adamski <lucas@mozilla.com>, public-web-security@w3.org
(apologies for the premature send)

On 01/25/2011 10:42 AM, Adam Barth wrote:
> On Tue, Jan 25, 2011 at 8:48 AM, Steingruebl, Andy
> <asteingruebl@paypal-inc.com> wrote:
>> CSP isn't only useful for stopping XS either.  It can be a policy enforcement for where scripts can come from.  Just like it can control framing, which isn't really about XSS either.   I think it would be a lot less useful if it didn't include those capabilities/functions, as those are some of my major initial use cases.
> 
> IMHO, in the first iteration we should nail XSS and set up a
> extensible policy framework that we can extend to address other
> threats in the future.

It doesn't make sense to me to pass over features that have value to
potential implementors for the sake of getting something out there
quickly.  Future extensions to the model, while expected, will come with
costs, so we should do our best to reduce the number of iterations.

Let's deliver something quickly, but let's include as much as we think
is useful, with justifiable levels of complexity, in the first iteration.

Best,
Brandon
Received on Tuesday, 25 January 2011 20:33:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 25 January 2011 20:33:07 GMT