Re: Remove paths from CSP?

> Neither GitHub nor Facebook use paths in their policies today.

Well, I don't think it's fair to use this as an argument given that
paths aren't a part of CSP 1.0 and probably very few people outside
this list even know they were supported; the awareness of potential
weaknesses on origin-scoped CSP is probably about as limited; and the
number of observed attacks that leveraged origin scoping weaknesses in
the past is very close to zero.

(Plus, glass houses, stones: it's nor like non-path-based CSP is
enjoying widespread adoption at this point to begin with, so we should
be careful with using current adoption as a proxy for future
usefulness.)

/mz

Received on Wednesday, 12 February 2014 16:18:54 UTC