W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Michal Zalewski <lcamtuf@google.com>
Date: Wed, 12 Feb 2014 01:57:34 -0800
Message-ID: <CAN44M3VP6-LLARgFVoc4GbmfKZo0mcN+OS1Z6y4xYv88MnUj1A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "Eduardo' Vela" <evn@google.com>, Brad Hill <bhill@paypal-inc.com>, Odin Hørthe Omdal <odinho@opera.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>, Garrett Robinson <grobinson@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
> I agree with you that preserving paths for scripts would be useful. I
> disagree that a lack of paths would make CSP unusable for Google, just less
> effective.

Well, the primary benefit that makes it worth going through the effort
of retrofitting CSP or automatically generating new policies within
frameworks is the prospect of preventing XSS.

But if almost all of our applications need to whitelist the entire
https://www.google.com/ as a permissible source for scripts, then...
well, "less effective" is probably a very polite way of putting it,
because there are dozens of essential public APIs that would
effectively permit attackers to effectively execute nearly-arbitrary
JS :-) Another example:
https://www.google.com/jsapi?callback=foo[1].bar

/mz
Received on Wednesday, 12 February 2014 09:58:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC