- From: gaz Heyes <gazheyes@gmail.com>
- Date: Wed, 8 Jun 2011 20:26:52 +0100
- To: John Wilander <john.wilander@owasp.org>
- Cc: public-web-security@w3.org
Received on Wednesday, 8 June 2011 19:27:19 UTC
On 8 June 2011 12:19, John Wilander <john.wilander@owasp.org> wrote: > To get ready for Content Security Policy in production organizations have > to get JavaScript guidelines in place stating no inline JavaScript, only > JavaScript in files. That's fine for in-house developers but I'm starting to > get worried about web analytics tools such as Omniture SiteCatalyst and > Google Analytics. These are very popular out there and the decision to use > them are typically made by managers closer to money than the security > department typically is. > As I see it there are two problems a) Sites will wrongly implement a CSP policy with inline enabled (xss protection off) to make analytics work rather that put them in a separate file. b) The analytics on the page will be abused to log their xss attacks without using another external server. Both break CSP at the core IMO and unless an alternative method is developed to handle inline script then it drastically reduces CSP effectiveness.
Received on Wednesday, 8 June 2011 19:27:19 UTC