Re: Remove paths from CSP?

> Happily, I'm not on Google's infra security team, so I can suggest that
> Google should be more careful about a) scoping APIs to origins, and b) not
> allowing arbitrary callbacks, while remaining blissfully unaware of the work
> that would be involved in doing so. :)

I think that making the value of CSP hinge on the assumption that
nothing else you host in the origin will have any side effects if
loaded somewhere else greatly diminishes its value to any medium-size
web property. JSONP APIs are just an intuitive example, but I bet that
there are dozens or hundreds of other opportunities across paypal.com,
facebook.com, google.com, etc.

/mz

Received on Wednesday, 12 February 2014 15:43:21 UTC