W3C home > Mailing lists > Public > public-web-security@w3.org > September 2011

Re: lcamtuf on the subtle/deadly problem with CSP

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 31 Aug 2011 19:53:44 -0700
Message-ID: <CALx_OUCY23x8EbPx3Pd+fdHJCUvjgTpZJJJhmOu=zyKFK9hN7g@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Adam Barth <w3c@adambarth.com>, "sird@rckc.at" <sird@rckc.at>, "Hill, Brad" <bhill@paypal-inc.com>, "public-web-security@w3.org" <public-web-security@w3.org>
> By "exploitable" you mean "it might be possible to work around the
> CSP restrictions on a case-by-case basis and continue exploiting
> some of the sites that are already exploitable without CSP
> protection," right?
>
> CSP isn't adding any exploits. Like condoms it may not provide 100%
> protection against infection.

Yes, of course. But I think as-is, origin scoping will fail in
unexpected ways on many real-world sites.

> Is that enough to knock this troll back under the bridge?

That's a lot of effort, yes ;-)

I do disagree with some points, and some are applicable only if you
make the decoupling mandatory, but I wasn't seriously trying to derail
the discussion, so let's leave it at that. (If I were to suggest
improvements to CSP, that wouldn't be in the top 10.)

/mz
Received on Thursday, 1 September 2011 02:54:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 1 September 2011 02:54:43 GMT