W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Michal Zalewski <lcamtuf@google.com>
Date: Wed, 12 Feb 2014 07:42:31 -0800
Message-ID: <CAN44M3X4n32uZqEnhv0CAXMtQXNtaphBh3bkvT9DU+--qqxVyQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "Eduardo' Vela" <evn@google.com>, Brad Hill <bhill@paypal-inc.com>, Odin Hørthe Omdal <odinho@opera.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>, Garrett Robinson <grobinson@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
> Happily, I'm not on Google's infra security team, so I can suggest that
> Google should be more careful about a) scoping APIs to origins, and b) not
> allowing arbitrary callbacks, while remaining blissfully unaware of the work
> that would be involved in doing so. :)

I think that making the value of CSP hinge on the assumption that
nothing else you host in the origin will have any side effects if
loaded somewhere else greatly diminishes its value to any medium-size
web property. JSONP APIs are just an intuitive example, but I bet that
there are dozens or hundreds of other opportunities across paypal.com,
facebook.com, google.com, etc.

/mz
Received on Wednesday, 12 February 2014 15:43:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC