- From: Gervase Markham <gerv@mozilla.org>
- Date: Tue, 25 Jan 2011 14:49:37 +0000
- To: Adam Barth <w3c@adambarth.com>
- CC: Lucas Adamski <lucas@mozilla.com>, public-web-security@w3.org
On 24/01/11 23:50, Adam Barth wrote: > To pick on one example, adding "inline" as script-src is disaster > for security, yet its temping enough that a number of folks who've > I've seen try to use CSP decide to add it. IMHO, CSP would be better > at mitigating XSS without the "inline" option for "script-src". Well, if you don't use the 'inline' option, of course CSP is better at mitigating XSS ;-) I think you mean: "CSP would mitigate more XSS attacks if the 'inline' option for 'script-src' were not a part of the spec and not implemented." However, that's definitely a debateable point. If you make CSP to hard to adopt, fewer people will use it full stop - and so not get XSS protection, or any other protections. Allowing 'inline-src' makes the adoption curve for CSP less steep. Yes, some people will stop half way up the curve; but I would suggest that a less steep curve means that more people will persevere to the top. Gerv
Received on Tuesday, 25 January 2011 14:50:24 UTC