Re: Remove paths from CSP?

On 14-Feb-14 20:02, Daniel Veditz wrote:
> On 2/14/2014 12:53 AM, Sigbjørn Vik wrote:
>> From: Daniel Veditz <dveditz@mozilla.com>
>>> I'm not too concerned about CSP being used to determine if someone is
>>> logged in to a particular site or not, because timing attacks are good
>>> enough to figure that out for most sites already.
>>
>> That many sites have an existing security hole is not an argument to
>> build this security hole into browsers by default.
> 
> The web is an inconsistent accretive steaming mess and perfect solutions
> don't exist. We are not "building a security hole", we are building a
> feature to make things in general more secure. It appears we may be
> making other things less secure. How much less? How much, and in what
> cases, does CSP improve security? Is is worth giving up that security
> improvement to avoid causing this "hole"? Is the security problem we're
> causing equivalent to existing problems, and if so is there any hope
> that those other problems will be solved (that is, even if we're not
> really making things worse now, will we be leaving things worse in the
> future)? Are there alternative where we can have both the CSP security
> improvements and avoid the "hole" altogether, or minimize the damage?

I agree that when we are discussing a topic where tradeoffs are
required, the negative sides need to be evaluated carefully, and I am
happy to see you consider them. We need to take into account that the
negative sides might also be bigger than what we are able to understand
today.

XSS is a serious issue on the web, but it is well known how to fix it.
Phishing is an even worse issue on the web, with no simple ways for
fixing. Fixing a serious issue at the cost of an even worse one seems
like a suboptimal tradeoff, especially when an almost identical solution
exists without the tradeoff.

-- 
Sigbjørn Vik
Opera Software

Received on Monday, 17 February 2014 10:10:44 UTC