- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Tue, 1 Nov 2016 10:02:22 -0400
- To: whatwg@lists.whatwg.org
On 11/1/16 6:36 AM, Roger Hågensen wrote: > Wait, are you saying that ContentSecurityPolicy can't be relied upon? It depends on your threat model. Content security policy is a tool that allows a web page to defend itself and its users from cross-site script injection attacks and the like. A fundamental assumption here is that the user is NOT the attacker, and hence the user's browser is cooperating with the web page to protect the user. It's a perfectly fine tool for the "user and page author are cooperating" threat model. If, on the other hand, your threat model includes attacks by the _user_ on your server, you absolutely can't rely on CSP to defend against that. Most simply, the user can use a browser that doesn't support CSP. For addressing this class of attacks, you _have_ to rely on a completely server-side solution, because by assumption the client (the browser) is the attacker in this situation. -Boris
Received on Tuesday, 1 November 2016 14:02:56 UTC