W3C home > Mailing lists > Public > www-archive@w3.org > July 2009

Re: Comments on the Content Security Policy specification

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 30 Jul 2009 20:05:45 +0200
To: "Daniel Veditz" <dveditz@mozilla.com>, "Ian Hickson" <ian@hixie.ch>
Cc: "Bil Corry" <bil@corry.biz>, "Brandon Sterne" <bsterne@mozilla.com>, dev-security@lists.mozilla.org, www-archive@w3.org, jonas@sicking.cc, "Sid Stamm" <sid@mozilla.com>
Message-ID: <op.uxv67vdi64w2qv@annevk-t60>
On Thu, 30 Jul 2009 19:51:45 +0200, Daniel Veditz <dveditz@mozilla.com> wrote:
> Ian Hickson wrote:
>>> If a large site such as Twitter were to implement it,
>>> that's millions of users protected that otherwise wouldn't be.
>> Assuming they got it right.
> If they don't some researcher gets an easy conference talk out of
> bypassing the restrictions and poking fun at them, and then it gets
> fixed. The sites most likely to use and benefit from CSP are the ones
> most likely to be closely watched.

I seriously doubt that. I was at a conference in Portugal where a major ISP got pointed out the enormous amounts of holes they had which makes me think that given the severity of the problem (that and Rasmus Lerdorf indicating this was nothing new) it needs a rather simple solution because authors will not get it. They are not informed about all the various attacks that can happen on sites. Not at all. And this is not surprising given the vast complexity of the Web platform.

(Tne conference was a few months ago.)

Anne van Kesteren
Received on Thursday, 30 July 2009 18:06:57 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:43:34 UTC