Re: Trimming the SecurityPolicy DOM interface

On 5/1/2013 12:32 AM, Eduardo' Vela wrote:
> On the other point, I assume that means sites that want ads won't be
> able to use CSP?

Why not? The site knows who its ad partners are and can whitelist them.

It may require ad providers to be more forthcoming about their hidden 
partnerships and sub-contractors. The fact that site authors don't know 
that their ad provider is injecting random 4th and 5th party crap into 
their pages is a security problem in the first place.

If CSP proves successful at stopping XSS in practice then there will be 
a market for CSP-friendly ad providers.

-Dan Veditz

Received on Thursday, 16 May 2013 16:48:07 UTC