On Wed, Feb 12, 2014 at 5:18 PM, Michal Zalewski <lcamtuf@coredump.cx>wrote: > > Neither GitHub nor Facebook use paths in their policies today. > > Well, I don't think it's fair to use this as an argument given that > paths aren't a part of CSP 1.0 and probably very few people outside > this list even know they were supported; the awareness of potential > weaknesses on origin-scoped CSP is probably about as limited; and the > number of observed attacks that leveraged origin scoping weaknesses in > the past is very close to zero. > It's fair only in terms of responding to the claim that CSP without paths doesn't have value. :) (Plus, glass houses, stones: it's nor like non-path-based CSP is > enjoying widespread adoption at this point to begin with, so we should > be careful with using current adoption as a proxy for future > usefulness.) Very fair point. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 12 February 2014 16:26:33 UTC