- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 01 May 2012 11:45:28 -0700
- To: John Wilander <john.wilander@owasp.org>
- CC: public-webappsec@w3.org
On 4/27/12 2:18 AM, John Wilander wrote: > Here are my arguments for bringing support for CSP in meta tags back > into 1.0: > > 1. *Ease of adoption over "perfect" security*. For the developers who want to use CSP meta tag support is a win: it allows CSP use in many more situations such as those you presented in your points 2-4. Combining a content-injection protection policy in the content it's trying to protect carries risk that the policy might be subverted, but I get your argument that it's better than "perfect but not deployed". My main concern is that supporting the meta tag turns CSP into a weapon that can be used against sites who know nothing about CSP and are not trying to protect against it. They may have simple filters trying to block <script> tags and on* event handlers, and get broadsided by a <meta> tag that selectively turns off some of the scripts that are essential to the page -- think of some of the attacks on the early versions of IE XSS protection. We should not be adding a "security" feature that makes existing pages less secure if they have not opted into it. -Dan Veditz
Received on Tuesday, 1 May 2012 18:46:05 UTC