- From: Eduardo' Vela <evn@google.com>
- Date: Thu, 16 May 2013 09:56:42 -0700
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: public-webappsec@w3.org
Received on Thursday, 16 May 2013 16:57:17 UTC
Usually ads problems come in the form of iframes redirecting to different domains rather than scripts. The result, at least short/medium term is going to be that sites with ads won't use CSP, not the other way around (ads networks changing their while business model for us). On May 16, 2013 9:47 AM, "Daniel Veditz" <dveditz@mozilla.com> wrote: > On 5/1/2013 12:32 AM, Eduardo' Vela wrote: > >> On the other point, I assume that means sites that want ads won't be >> able to use CSP? >> > > Why not? The site knows who its ad partners are and can whitelist them. > > It may require ad providers to be more forthcoming about their hidden > partnerships and sub-contractors. The fact that site authors don't know > that their ad provider is injecting random 4th and 5th party crap into > their pages is a security problem in the first place. > > If CSP proves successful at stopping XSS in practice then there will be a > market for CSP-friendly ad providers. > > -Dan Veditz > >
Received on Thursday, 16 May 2013 16:57:17 UTC