Re: Cross-Origin Resource Embedding Restrictions

Adam wrote:
 >
 > There's been a bunch of discussion on the public-web-security mailing
 > list about the scope of CSP.  Some folks think that CSP should be a
 > narrow feature targeted at mitigating cross-site scripting.  Other
 > folks (e.g., as articulated in
 > <http://w2spconf.com/2010/papers/p11.pdf>) would like to see CSP be
 > more of a one-stop shop for configuring security-relevant policy for a
 > web site.

Well, to be clear, we (AndyS and I) aren't calling (in the above-cited paper) 
for CSP per se to address all use cases -- rather, we see it as a non-trivial 
piece of necessarily multi-faceted approach to crafting a more coherent 
approach to web application security.

That said, we do feel that attenuation of the growth of the number of distinct 
http header fields would probably be a good thing, which would auger for trying 
to figure out how, e.g., CSP might address this use case.

=JeffH

Received on Tuesday, 1 March 2011 18:30:20 UTC