Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

>    Where am I going with this? Well, we should implement a PoC policy
> generator and run it on some fairly large websites before we nail the

I would also add developing policies for common applications like
Drupal, WordPress, MediaWiki etc. We tried to develop a CSP policy for
BugZilla and it seemed too much work to do it without enabling

> We Mustn't Spoil Performance

This is something I have been concerned about for a while now. If you
look at Youtube, a good target for CSP deployment imo, then it has a
bunch of inline-scripts inside the HTML content that they use for
timing measurement and performance testing. It seems that CSP would
just take this away since adding a <script src='blahblah'> is
impractical from a performance perspective.


Received on Monday, 24 January 2011 05:48:17 UTC