- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Tue, 14 Jun 2011 10:33:05 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: Brian Smith <bsmith@mozilla.com>, public-web-security@w3.org
On 06/14/2011 10:10 AM, Adam Barth wrote: >> So I think we either need to create a different category (xslt-src?) for >> XSL stylesheets, or lump them with script-src which sites will >> understand has a higher risk profile. Thoughts? > > I'd lump them in with script-src. The problem is that they're > somewhat obscure and authors aren't going to understand the security > implications. If you and I didn't get it right the first time, what > chance do author's have? > > Adam Okay, this sounds fine. Giorio seems to agree. I'll wait to see if there are objections, otherwise I'll make this change. It is troubling that some of these technologies are so poorly understood, even by us "experts". I think putting XSLT with script-src has the advantage that most users will understand that trusting a site to serve script has a high amount of risk, and any risk aversion will automatically transfer to XSLT as well. This would not be the case if we created xslt-src, which most sites would be unlikely to specify, and could inadvertently permit this functionality through default-src. Cheers, Brandon
Received on Tuesday, 14 June 2011 17:32:08 UTC