W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: Trimming the SecurityPolicy DOM interface

From: Eduardo' Vela <evn@google.com>
Date: Thu, 16 May 2013 09:56:42 -0700
Message-ID: <CAFswPa-EodEfoTqUD_cwex-L5Aq1LL0S9qx-1yy6YWP6Dq3WxA@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: public-webappsec@w3.org
Usually ads problems come in the form of iframes redirecting to different
domains rather than scripts.

The result, at least short/medium term is going to be that sites with ads
won't use CSP, not the other way around (ads networks changing their while
business model for us).
On May 16, 2013 9:47 AM, "Daniel Veditz" <dveditz@mozilla.com> wrote:

> On 5/1/2013 12:32 AM, Eduardo' Vela wrote:
>
>> On the other point, I assume that means sites that want ads won't be
>> able to use CSP?
>>
>
> Why not? The site knows who its ad partners are and can whitelist them.
>
> It may require ad providers to be more forthcoming about their hidden
> partnerships and sub-contractors. The fact that site authors don't know
> that their ad provider is injecting random 4th and 5th party crap into
> their pages is a security problem in the first place.
>
> If CSP proves successful at stopping XSS in practice then there will be a
> market for CSP-friendly ad providers.
>
> -Dan Veditz
>
>
Received on Thursday, 16 May 2013 16:57:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC