Re: Scope and complexity (was Re: More on XSS mitigation)

On 01/25/2011 02:32 PM, Adam Barth wrote:
>> Others have expressed interest in the existing CSP features within this
>> discussion.  If people find the features useful now then why would take
>> a wait-and-see approach to building them in to the model?
> 
> Because I'd like to wait-and-see whether they're right.  :)
> 
> Less glibly, I think that CSP has a bunch of ideas bundled together.
> I think some of those ideas are great (like limiting where you get
> scripts from), but I think that others aren't as great (e.g., limiting
> where you can XHR or the clickjacking mitigation).  I'd like to
> implement the great ideas now and pave the way for implementing more
> great ideas in the future.

I do think we're getting somewhere, for what it's worth :-)

I agree with you that some of CSP's features are obvious wins. Some of
the features are less obvious in terms of immediate benefits provided
(more on that below).  I think we disagree on which features are obvious
wins.  I would place content restrictions in the category of obvious
win. We have heard people say that CSP "would be a lot less useful if it
didn't include those capabilities".  This is not a matter of
waiting-and-seeing if they are "right". These features fit in to their
current use cases.

If you have concrete reasons why specific features should be abandoned
or deferred until later, now is the time to bring them up. Otherwise,
CSP offers a solution to a real set of problems.  There may be ways to
improve the solutions and we should adopt those if we can discover them.
 If not, then CSP surely must be better than no solution.

I've argued that we should provide more levers because we may be faced
with future threats that can be mitigated by pulling some combination of
the levers.  Admittedly, this is a difficult position to defend as there
are no clear and present dangers that all of the proposed levers map to.
 It would be productive, I think, to debate the merits of the individual
features rather than saying "script loading is the only useful part; the
rest should be dismissed".  We already have evidence to the contrary.

I love that this debate finally seems to have some traction.  Let's keep
it moving forward!

Regards,
Brandon

Received on Tuesday, 25 January 2011 23:21:58 UTC