W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: Trimming the SecurityPolicy DOM interface

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 16 May 2013 10:09:03 -0700
Message-ID: <519512AF.1090208@mozilla.com>
To: Eduardo' Vela <evn@google.com>
CC: public-webappsec@w3.org
On 5/16/2013 9:56 AM, Eduardo' Vela wrote:
> Usually ads problems come in the form of iframes redirecting to
> different domains rather than scripts.

"frame-src *" solves that, doesn't it? May not be as tight a policy as 
you would like but better than no CSP at all, especially if you can 
block unsafe-inline.

> The result, at least short/medium term is going to be that sites with
> ads won't use CSP, not the other way around (ads networks changing their
> while business model for us).

Sounds like a good market opportunity for Google :-)

-Dan Veditz



Received on Thursday, 16 May 2013 17:09:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC