W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: Cross-Origin Resource Embedding Restrictions

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Tue, 01 Mar 2011 10:29:52 -0800
Message-ID: <4D6D3B20.8060605@KingsMountain.com>
To: W3C WebApps WG <public-webapps@w3.org>
CC: Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>
Adam wrote:
 >
 > There's been a bunch of discussion on the public-web-security mailing
 > list about the scope of CSP.  Some folks think that CSP should be a
 > narrow feature targeted at mitigating cross-site scripting.  Other
 > folks (e.g., as articulated in
 > <http://w2spconf.com/2010/papers/p11.pdf>) would like to see CSP be
 > more of a one-stop shop for configuring security-relevant policy for a
 > web site.

Well, to be clear, we (AndyS and I) aren't calling (in the above-cited paper) 
for CSP per se to address all use cases -- rather, we see it as a non-trivial 
piece of necessarily multi-faceted approach to crafting a more coherent 
approach to web application security.

That said, we do feel that attenuation of the growth of the number of distinct 
http header fields would probably be a good thing, which would auger for trying 
to figure out how, e.g., CSP might address this use case.

=JeffH
Received on Tuesday, 1 March 2011 18:30:20 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:43 GMT