- From: Michal Zalewski <lcamtuf@google.com>
- Date: Wed, 12 Feb 2014 01:57:34 -0800
- To: Mike West <mkwst@google.com>
- Cc: "Eduardo' Vela" <evn@google.com>, Brad Hill <bhill@paypal-inc.com>, Odin Hørthe Omdal <odinho@opera.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>, Garrett Robinson <grobinson@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
> I agree with you that preserving paths for scripts would be useful. I > disagree that a lack of paths would make CSP unusable for Google, just less > effective. Well, the primary benefit that makes it worth going through the effort of retrofitting CSP or automatically generating new policies within frameworks is the prospect of preventing XSS. But if almost all of our applications need to whitelist the entire https://www.google.com/ as a permissible source for scripts, then... well, "less effective" is probably a very polite way of putting it, because there are dozens of essential public APIs that would effectively permit attackers to effectively execute nearly-arbitrary JS :-) Another example: https://www.google.com/jsapi?callback=foo[1].bar /mz
Received on Wednesday, 12 February 2014 09:58:21 UTC