W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

CSP advocacy group??

From: Michael A. Peters <mpeters@domblogger.net>
Date: Fri, 14 Oct 2011 16:56:17 -0700
Message-ID: <4E98CC21.5050103@domblogger.net>
To: public-web-security@w3.org
I hope this isn't off topic.

I'm working on building a CMS from ground up, trying to implement sane 
security from the start in what I have identified as commonly exploited 
vulnerabilities in web apps that happened because of poor design (IE 
write perm to directory server servs, write perm to config file server 
executes rather than parses, yada yada list is a mile long)

Of course I am implementing CSP from the start, and it seems like a 
battle against widget providers.

Facebook share button. If they have a version that does not want to 
inject a style node a mile long along with an iframe that is full of 
inline script, I sure haven't found it. So I can't have a facebook share 
button available.

It seems they have to have an iframe because they insist on counting how 
many friends have shared it, which seems stupid to me, but it's what 
they do.

I've tried contacting FB about it and get no response, and my requests 
to join their developer group is never approved (or so I assume, never 
notified either way, they don't communicate well).

I think it would be beneficial if there was a public advocacy group that 
attempted to work with these companies to try and get them to produce 
CSP compatible widgets. Kind of like what Guy Kawasaki did for Apple.

Right now it seems I either lax up my desire for premium webapp security 
or don't have features people want (like a share button) that shouldn't 
be technically difficult to do securely, and that's kind of sad.
Received on Tuesday, 18 October 2011 14:30:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 18 October 2011 14:30:20 GMT