Re: XSS mitigation in browsers

Yes, excellent point, and that is something we have been doing at Mozilla.  We spent a lot of time communicating with as much of the community and as many of the larger websites that we could get our hands on, and in many respects CSP is a reflection of those conversations.  We ended up putting many of the controls in there and improving on the reporting functionality as a direct result of that feedback.  That said, I think participating in the standards process is the next logical step in obtaining more feedback to improve the model further.

On a conceptual level, I am not really a believer in the current proliferation of orthogonal atomic mechanisms intended to solve very specific problems.  Security is a holistic discipline, and so I'm a big supporter of investing in an extensible declarative security policy mechanism that could evolve as the web and the threats that it faces do.  Web developers have a hard enough time with security already without being expected to master a potentially large number of different security mechanisms, each with their own unique threat model, implementation and syntax.  Not to mention trying to figure out how they're expected to interact with each other... how to manage the gaps and intersections between the models.
 Lucas.

On Jan 20, 2011, at 2:49 PM, Michal Zalewski wrote:
> 
> I honestly think we should be putting a lot more emphasis of
> understanding actual use cases in complex environments for any
> security mechanisms proposed; coming up with unified frameworks,
> rather than disjointed solutions for small subsets of problems (CSP is
> a step in a good direction, but has some shortcomings); and engaging a
> far broader security community... I know this is not a productive
> complaint, and probably not a welcome one, but... :-)
> 
> /mz
>

Received on Saturday, 22 January 2011 07:06:37 UTC