W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: An urge for CSP META tag in 1.0

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 2 May 2012 09:32:07 -0700
Message-ID: <CALx_OUAz0hzeixr3P_-PPKktCD4ijN4TbG176zV_iUbMAb=fXw@mail.gmail.com>
To: Tanvi Vyas <tanvi@mozilla.com>
Cc: public-webappsec@w3.org
> document.enforceSecurityPolicy("default-src 'self' ");

Also note that given the behavior of certain XSS filters that make it
possible to selectively disable some of the <script> blocks (but not
others), this seems undesirable.

Frankly, I don't see any truly compelling reasons for dropping <meta>;
CSP is far from being perfect, and has several far more concerning
bypass vectors; but it's better than nothing. Making it harder to
deploy it in a common use case just to prevent an attack in a far more
peripheral one (which can be readily turned into XSS in some browsers
anyway) seems odd.

/mz
Received on Wednesday, 2 May 2012 16:33:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 2 May 2012 16:33:02 GMT