W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

Re: CSP and cross-frame communication

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 05 Mar 2012 13:23:10 -0800
Message-ID: <4F552EBE.8080301@mozilla.com>
To: David Bruant <bruant.d@gmail.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3/5/12 11:58 AM, David Bruant wrote:
> Do you have an example of an XSS that can be avoided by the specific
> prevention of eval? I'm obviously talking about a case where eval is
> legitimate.
> People who misuse eval will at best not be aware of CSP and at worst say
> "it broke my code" and disable it right away when trying it.

The web has built up a history of using eval() in sloppy and
unnecessary ways. Eval can be used carefully, but the CSP default
encourages thought about safer alternatives to many current uses.

Let's say you're building a complex/commercial site. Even if -you-
use eval safely in your own code, are you confident enough that all
your 3rd-party script providers are as careful such that you're
willing to roll the dice by enabling eval support? Maybe you are,
and in that case enable eval in good health.

>> CSP's baby steps toward forcing
>> authors to separate script and content are only a start.
> Interesting. What are the next steps? Can you tell more? Or where can I
> read more about the long term vision of the web platform security?

Inventing next steps is part of this working group and other
security-focused ones at W3 and IETF.

-Dan Veditz
Received on Monday, 5 March 2012 21:23:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 March 2012 21:23:55 GMT