Re: An urge for CSP META tag in 1.0

On 4/27/12 2:18 AM, John Wilander wrote:
> Here are my arguments for bringing support for CSP in meta tags back
> into 1.0:
> 
>  1. *Ease of adoption over "perfect" security*.

For the developers who want to use CSP meta tag support is a win: it
allows CSP use in many more situations such as those you presented
in your points 2-4. Combining a content-injection protection policy
in the content it's trying to protect carries risk that the policy
might be subverted, but I get your argument that it's better than
"perfect but not deployed".

My main concern is that supporting the meta tag turns CSP into a
weapon that can be used against sites who know nothing about CSP and
are not trying to protect against it. They may have simple filters
trying to block <script> tags and on* event handlers, and get
broadsided by a <meta> tag that selectively turns off some of the
scripts that are essential to the page -- think of some of the
attacks on the early versions of IE XSS protection.

We should not be adding a "security" feature that makes existing
pages less secure if they have not opted into it.

-Dan Veditz

Received on Tuesday, 1 May 2012 18:46:05 UTC