Re: On the Insecurity of Whitelists and the Future of CSP from Mike West on 2016-09-08 (public-webappsec@w3.org from September 2016)

From: Mike West <mkwst@google.com>
Date: Thu, 8 Sep 2016 15:10:10 +0200
To: Christoph Kerschbaumer <ckerschbaumer@mozilla.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Artur Janc <aaj@google.com>, "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C Web App Security WG <public-webappsec@w3.org>, Craig Francis <craig.francis@gmail.com>
Message-ID: <CAKXHy=cf_F=J1eEt_CqSgcj2vkc3nD_9TU01bvscBzxZeN4r=w@mail.gmail.com>

On Thu, Sep 8, 2016 at 2:08 PM, Christoph Kerschbaumer <
ckerschbaumer@mozilla.com> wrote:

> That's what I meant earlier. If we can provide better ways of stopping
> unwanted script from executing, then the exfiltration is less of an issue.
> I think the strict-dynamic approach can provide better security in that
> sense. Still, the syntax issue needs to be discussed. As in our precious
> email discussion, I think TPAC is probably a good venue, where all the
> people interested are sitting on one table.
>

What syntax issue do we need to discuss? If there are remaining syntax
questions, we should resolve them quickly, as Chrome is shipping what's
currently in the spec, and Google sites are beginning to rely on the
currently specified behavior. :)

-mike

Received on Thursday, 8 September 2016 13:11:29 UTC