- From: Joel H. W. Weinberger <jww@eecs.berkeley.edu>
- Date: Wed, 26 Jan 2011 15:37:01 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: Gervase Markham <gerv@mozilla.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, John Wilander <john.wilander@owasp.org>, Michal Zalewski <lcamtuf@coredump.cx>, gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
I'm currently working on a formal description of our experiences transforming Bugzilla into a CSP-ready application. Adam's description of our results is accurate. We were able to get Bugzilla working with CSP and preventing XSS attacks (i.e. inline scripts disabled), but it was not trivial and the performance is not great. At the suggestion of Gervase Markham, I will post a thorough description of my experiences when I am done to this Bugzilla bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=600692 But if anyone has any questions in the meantime, I would be happy to answer them. --Joel On Mon, Jan 24, 2011 at 03:52:30PM -0800, Adam Barth wrote: > On Mon, Jan 24, 2011 at 10:29 AM, Gervase Markham <gerv@mozilla.org> wrote: > > On 24/01/11 05:47, Devdatta Akhawe wrote: > >> I would also add developing policies for common applications like > >> Drupal, WordPress, MediaWiki etc. We tried to develop a CSP policy for > >> BugZilla and it seemed too much work to do it without enabling > >> inline-scripts. > > > > Did you communicate with the Bugzilla development team while doing this? I > > didn't see anything cross the mailing list... Getting Bugzilla in a state > > where it can have a CSP policy would be a great thing. Why not file a bug > > about it? > > We did this as an experiment to evaluate how easy it was to deploy CSP > on a real web site. Joel can tell you more of the details. We > eventually got it working, although we had to do some work to avoid > losing performance. > > Adam
Received on Thursday, 27 January 2011 08:01:03 UTC