Re: Remove paths from CSP?

On 2/14/2014 12:53 AM, Sigbjørn Vik wrote:
> From: Daniel Veditz <dveditz@mozilla.com>
>> I'm not too concerned about CSP being used to determine if someone is
>> logged in to a particular site or not, because timing attacks are good
>> enough to figure that out for most sites already.
> 
> That many sites have an existing security hole is not an argument to
> build this security hole into browsers by default.

The web is an inconsistent accretive steaming mess and perfect solutions
don't exist. We are not "building a security hole", we are building a
feature to make things in general more secure. It appears we may be
making other things less secure. How much less? How much, and in what
cases, does CSP improve security? Is is worth giving up that security
improvement to avoid causing this "hole"? Is the security problem we're
causing equivalent to existing problems, and if so is there any hope
that those other problems will be solved (that is, even if we're not
really making things worse now, will we be leaving things worse in the
future)? Are there alternative where we can have both the CSP security
improvements and avoid the "hole" altogether, or minimize the damage?

Welcome to engineering.

-Dan Veditz

Received on Friday, 14 February 2014 19:02:47 UTC