W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

Re: CSP and jsonp callbacks

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Tue, 31 May 2011 09:56:54 -0400
Message-ID: <BANLkTi=XeoEh4qgWRqvZrhTaUJGzHppWTQ@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, masatokinugawa@gmail.com
On Mon, May 30, 2011 at 6:47 PM, sird@rckc.at <sird@rckc.at> wrote:
> Or said in a different way, instead of making everyone in the world
> adapt to CSP, find a solution (maybe not the one I suggested, but any)
> that just works, or.. CSP will be only used by Paypal.. (instead of
> GMail, Facebook, Yahoo, Wikipedia, BBS, etc..)

This is tangential, but: actually, this particular issue is not a
problem at all for Wikipedia.  As a matter of policy, using Wikipedia
does not load resources from any site not controlled by Wikimedia or a
Wikimedia chapter, because that would leak personal information about
Wikipedia users to third parties, which is prohibited by Wikimedia's
privacy policy (as it's generally interpreted, to the best of my
knowledge):

http://wikimediafoundation.org/wiki/Privacy_policy#Access_to_and_release_of_personally_identifiable_information

CSP would be very interesting to Wikipedia, because there have been
cases where volunteer admins of smaller projects have added links to
Analytics or similar, not knowing about the privacy policy.
Received on Tuesday, 31 May 2011 13:57:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 31 May 2011 13:57:39 GMT