Re: Remove paths from CSP?

> I agree with you that preserving paths for scripts would be useful. I
> disagree that a lack of paths would make CSP unusable for Google, just less
> effective.

Well, the primary benefit that makes it worth going through the effort
of retrofitting CSP or automatically generating new policies within
frameworks is the prospect of preventing XSS.

But if almost all of our applications need to whitelist the entire
https://www.google.com/ as a permissible source for scripts, then...
well, "less effective" is probably a very polite way of putting it,
because there are dozens of essential public APIs that would
effectively permit attackers to effectively execute nearly-arbitrary
JS :-) Another example:
https://www.google.com/jsapi?callback=foo[1].bar

/mz

Received on Wednesday, 12 February 2014 09:58:21 UTC