- From: Michael A. Peters <mpeters@domblogger.net>
- Date: Fri, 14 Oct 2011 16:56:17 -0700
- To: public-web-security@w3.org
I hope this isn't off topic. I'm working on building a CMS from ground up, trying to implement sane security from the start in what I have identified as commonly exploited vulnerabilities in web apps that happened because of poor design (IE write perm to directory server servs, write perm to config file server executes rather than parses, yada yada list is a mile long) Of course I am implementing CSP from the start, and it seems like a battle against widget providers. Facebook share button. If they have a version that does not want to inject a style node a mile long along with an iframe that is full of inline script, I sure haven't found it. So I can't have a facebook share button available. It seems they have to have an iframe because they insist on counting how many friends have shared it, which seems stupid to me, but it's what they do. I've tried contacting FB about it and get no response, and my requests to join their developer group is never approved (or so I assume, never notified either way, they don't communicate well). I think it would be beneficial if there was a public advocacy group that attempted to work with these companies to try and get them to produce CSP compatible widgets. Kind of like what Guy Kawasaki did for Apple. Right now it seems I either lax up my desire for premium webapp security or don't have features people want (like a share button) that shouldn't be technically difficult to do securely, and that's kind of sad.
Received on Tuesday, 18 October 2011 14:30:17 UTC