- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 14 Feb 2014 11:02:16 -0800
- To: Sigbjørn Vik <sigbjorn@opera.com>, public-webappsec@w3.org
On 2/14/2014 12:53 AM, Sigbjørn Vik wrote: > From: Daniel Veditz <dveditz@mozilla.com> >> I'm not too concerned about CSP being used to determine if someone is >> logged in to a particular site or not, because timing attacks are good >> enough to figure that out for most sites already. > > That many sites have an existing security hole is not an argument to > build this security hole into browsers by default. The web is an inconsistent accretive steaming mess and perfect solutions don't exist. We are not "building a security hole", we are building a feature to make things in general more secure. It appears we may be making other things less secure. How much less? How much, and in what cases, does CSP improve security? Is is worth giving up that security improvement to avoid causing this "hole"? Is the security problem we're causing equivalent to existing problems, and if so is there any hope that those other problems will be solved (that is, even if we're not really making things worse now, will we be leaving things worse in the future)? Are there alternative where we can have both the CSP security improvements and avoid the "hole" altogether, or minimize the damage? Welcome to engineering. -Dan Veditz
Received on Friday, 14 February 2014 19:02:47 UTC