Re: Scope and complexity (was Re: More on XSS mitigation) from Adam Barth on 2011-01-25 (public-web-security@w3.org from January 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 25 Jan 2011 10:42:06 -0800
To: Gervase Markham <gerv@mozilla.org>
Cc: Lucas Adamski <lucas@mozilla.com>, public-web-security@w3.org
Message-ID: <AANLkTik+DuEWGLEP0OPZbtaPbtkSzEX8Zg5z7a1Texwj@mail.gmail.com>

On Tue, Jan 25, 2011 at 6:49 AM, Gervase Markham <gerv@mozilla.org> wrote:
> On 24/01/11 23:50, Adam Barth wrote:
>> To pick on one example, adding "inline" as script-src is disaster
>> for security, yet its temping enough that a number of folks who've
>> I've seen try to use CSP decide to add it.  IMHO, CSP would be better
>> at mitigating XSS without the "inline" option for "script-src".
>
> Well, if you don't use the 'inline' option, of course CSP is better at
> mitigating XSS ;-)
>
> I think you mean: "CSP would mitigate more XSS attacks if the 'inline'
> option for 'script-src' were not a part of the spec and not implemented."

Yes.

> However, that's definitely a debateable point. If you make CSP to hard to
> adopt, fewer people will use it full stop - and so not get XSS protection,
> or any other protections. Allowing 'inline-src' makes the adoption curve for
> CSP less steep. Yes, some people will stop half way up the curve; but I
> would suggest that a less steep curve means that more people will persevere
> to the top.

Maybe we'd have to ask these folks to see what they had in mind, but
it's unclear to me whether they understand that they've essentially
given away their XSS protection.

>From <http://people.mozilla.com/~bsterne/content-security-policy/>,
"Mitigate Cross Site Scripting" is the primary goal of CSP.  All the
other goals are listed as secondary.

On Tue, Jan 25, 2011 at 8:48 AM, Steingruebl, Andy
<asteingruebl@paypal-inc.com> wrote:
> CSP isn't only useful for stopping XS either.  It can be a policy enforcement for where scripts can come from.  Just like it can control framing, which isn't really about XSS either.   I think it would be a lot less useful if it didn't include those capabilities/functions, as those are some of my major initial use cases.

IMHO, in the first iteration we should nail XSS and set up a
extensible policy framework that we can extend to address other
threats in the future.

Adam

Received on Tuesday, 25 January 2011 18:43:15 UTC