W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: Scope and complexity (was Re: More on XSS mitigation)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 25 Jan 2011 14:32:11 -0800
Message-ID: <AANLkTiknS+t6M2qy6oK0TdA4+gwVRZTQjvERmCPzMdYb@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: Gervase Markham <gerv@mozilla.org>, Lucas Adamski <lucas@mozilla.com>, public-web-security@w3.org
On Tue, Jan 25, 2011 at 2:05 PM, Brandon Sterne <bsterne@mozilla.com> wrote:
> On 01/25/2011 01:45 PM, Adam Barth wrote:
>> Ideally, we could come up with a policy mechanism that let us nail XSS
>> today and that fostered innovation in security for years to come.  In
>> the short term, you could view the existing CSP features (e.g.,
>> clickjacking protection) as the first wave of innovation.  If those
>> pieces are popular, then it should be easy for other folks to adopt
>> them.
>
> Others have expressed interest in the existing CSP features within this
> discussion.  If people find the features useful now then why would take
> a wait-and-see approach to building them in to the model?

Because I'd like to wait-and-see whether they're right.  :)

Less glibly, I think that CSP has a bunch of ideas bundled together.
I think some of those ideas are great (like limiting where you get
scripts from), but I think that others aren't as great (e.g., limiting
where you can XHR or the clickjacking mitigation).  I'd like to
implement the great ideas now and pave the way for implementing more
great ideas in the future.

Adam
Received on Tuesday, 25 January 2011 22:33:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 25 January 2011 22:33:20 GMT