W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: Trimming the SecurityPolicy DOM interface

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 16 May 2013 09:47:35 -0700
Message-ID: <51950DA7.4050007@mozilla.com>
To: Eduardo' Vela <evn@google.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 5/1/2013 12:32 AM, Eduardo' Vela wrote:
> On the other point, I assume that means sites that want ads won't be
> able to use CSP?

Why not? The site knows who its ad partners are and can whitelist them.

It may require ad providers to be more forthcoming about their hidden 
partnerships and sub-contractors. The fact that site authors don't know 
that their ad provider is injecting random 4th and 5th party crap into 
their pages is a security problem in the first place.

If CSP proves successful at stopping XSS in practice then there will be 
a market for CSP-friendly ad providers.

-Dan Veditz

Received on Thursday, 16 May 2013 16:48:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC