RE: Scope and complexity (was Re: More on XSS mitigation)

> -----Original Message-----
> From: public-web-security-request@w3.org [mailto:public-web-security-
> request@w3.org] On Behalf Of Gervase Markham
> 
> However, that's definitely a debateable point. If you make CSP to hard to
> adopt, fewer people will use it full stop - and so not get XSS protection, or
> any other protections. Allowing 'inline-src' makes the adoption curve for CSP
> less steep. Yes, some people will stop half way up the curve; but I would
> suggest that a less steep curve means that more people will persevere to the
> top.

CSP isn't only useful for stopping XS either.  It can be a policy enforcement for where scripts can come from.  Just like it can control framing, which isn't really about XSS either.   I think it would be a lot less useful if it didn't include those capabilities/functions, as those are some of my major initial use cases.

- Andy

Received on Tuesday, 25 January 2011 16:49:35 UTC