- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 12 Feb 2014 08:18:05 -0800
- To: Mike West <mkwst@google.com>
- Cc: Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> Neither GitHub nor Facebook use paths in their policies today. Well, I don't think it's fair to use this as an argument given that paths aren't a part of CSP 1.0 and probably very few people outside this list even know they were supported; the awareness of potential weaknesses on origin-scoped CSP is probably about as limited; and the number of observed attacks that leveraged origin scoping weaknesses in the past is very close to zero. (Plus, glass houses, stones: it's nor like non-path-based CSP is enjoying widespread adoption at this point to begin with, so we should be careful with using current adoption as a proxy for future usefulness.) /mz
Received on Wednesday, 12 February 2014 16:18:54 UTC