W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Mike West <mkwst@google.com>
Date: Wed, 12 Feb 2014 17:25:45 +0100
Message-ID: <CAKXHy=dnwuOY+uZrLrS88G=A0bpCdQovER+3oUD8jjKsvnMVzQ@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 12, 2014 at 5:18 PM, Michal Zalewski <lcamtuf@coredump.cx>wrote:

> > Neither GitHub nor Facebook use paths in their policies today.
> Well, I don't think it's fair to use this as an argument given that
> paths aren't a part of CSP 1.0 and probably very few people outside
> this list even know they were supported; the awareness of potential
> weaknesses on origin-scoped CSP is probably about as limited; and the
> number of observed attacks that leveraged origin scoping weaknesses in
> the past is very close to zero.

It's fair only in terms of responding to the claim that CSP without paths
doesn't have value. :)

(Plus, glass houses, stones: it's nor like non-path-based CSP is
> enjoying widespread adoption at this point to begin with, so we should
> be careful with using current adoption as a proxy for future
> usefulness.)

Very fair point.


Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 12 February 2014 16:26:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC