- From: Deian Stefan <deian@cs.stanford.edu>
- Date: Wed, 04 Feb 2015 15:07:18 -0800
- To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mike West <mkwst@google.com>
- Cc: Crispin Cowan <crispin@microsoft.com>, Yoav Weiss <yoav@yoav.ws>, Joel Weinberger <jww@chromium.org>, Boris Chen <boris@tcell.io>, Dmitry Polyakov <dpolyakov@google.com>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes: > Still, the way for webapp design to achieve these goals with systems in > place today is to deliberately change the execution context when the app > needs to alter CSP. > > Is it worth injecting potential vulnerabilities in CSP (allowing the > page to change its own policy) just to enable retaining the single > execution state? There is the safe use case of only allowing code to further restrict the CSP policy. This is useful if you want to effectively "drop privileges." Deian
Received on Wednesday, 4 February 2015 23:07:49 UTC