- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 25 Jan 2011 14:32:11 -0800
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: Gervase Markham <gerv@mozilla.org>, Lucas Adamski <lucas@mozilla.com>, public-web-security@w3.org
On Tue, Jan 25, 2011 at 2:05 PM, Brandon Sterne <bsterne@mozilla.com> wrote: > On 01/25/2011 01:45 PM, Adam Barth wrote: >> Ideally, we could come up with a policy mechanism that let us nail XSS >> today and that fostered innovation in security for years to come. In >> the short term, you could view the existing CSP features (e.g., >> clickjacking protection) as the first wave of innovation. If those >> pieces are popular, then it should be easy for other folks to adopt >> them. > > Others have expressed interest in the existing CSP features within this > discussion. If people find the features useful now then why would take > a wait-and-see approach to building them in to the model? Because I'd like to wait-and-see whether they're right. :) Less glibly, I think that CSP has a bunch of ideas bundled together. I think some of those ideas are great (like limiting where you get scripts from), but I think that others aren't as great (e.g., limiting where you can XHR or the clickjacking mitigation). I'd like to implement the great ideas now and pave the way for implementing more great ideas in the future. Adam
Received on Tuesday, 25 January 2011 22:33:16 UTC