- From: Steingruebl, Andy <asteingruebl@paypal-inc.com>
- Date: Tue, 25 Jan 2011 09:48:57 -0700
- To: Gervase Markham <gerv@mozilla.org>, Adam Barth <w3c@adambarth.com>
- CC: Lucas Adamski <lucas@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>
> -----Original Message----- > From: public-web-security-request@w3.org [mailto:public-web-security- > request@w3.org] On Behalf Of Gervase Markham > > However, that's definitely a debateable point. If you make CSP to hard to > adopt, fewer people will use it full stop - and so not get XSS protection, or > any other protections. Allowing 'inline-src' makes the adoption curve for CSP > less steep. Yes, some people will stop half way up the curve; but I would > suggest that a less steep curve means that more people will persevere to the > top. CSP isn't only useful for stopping XS either. It can be a policy enforcement for where scripts can come from. Just like it can control framing, which isn't really about XSS either. I think it would be a lot less useful if it didn't include those capabilities/functions, as those are some of my major initial use cases. - Andy
Received on Tuesday, 25 January 2011 16:49:35 UTC