- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 31 Aug 2011 19:53:44 -0700
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Adam Barth <w3c@adambarth.com>, "sird@rckc.at" <sird@rckc.at>, "Hill, Brad" <bhill@paypal-inc.com>, "public-web-security@w3.org" <public-web-security@w3.org>
> By "exploitable" you mean "it might be possible to work around the > CSP restrictions on a case-by-case basis and continue exploiting > some of the sites that are already exploitable without CSP > protection," right? > > CSP isn't adding any exploits. Like condoms it may not provide 100% > protection against infection. Yes, of course. But I think as-is, origin scoping will fail in unexpected ways on many real-world sites. > Is that enough to knock this troll back under the bridge? That's a lot of effort, yes ;-) I do disagree with some points, and some are applicable only if you make the decoupling mandatory, but I wasn't seriously trying to derail the discussion, so let's leave it at that. (If I were to suggest improvements to CSP, that wouldn't be in the top 10.) /mz
Received on Thursday, 1 September 2011 02:54:42 UTC