W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 18 Feb 2014 10:14:47 -0800
Message-ID: <5303A317.6010806@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Sigbjørn Vik wrote:
> XSS is a serious issue on the web, but it is well known how to fix it.
> Phishing is an even worse issue on the web, with no simple ways for
> fixing. Fixing a serious issue at the cost of an even worse one seems
> like a suboptimal tradeoff, especially when an almost identical solution
> exists without the tradeoff.

I think I'm lost... how does this relate to phishing? I can't agree that 
that phishing is worse than XSS, but maybe we mean different things by 
phishing because I don't see the connection.

What is the "almost identical solution... without the tradeoff"? Simply 
dropping paths as Mike suggested? Sorry for being dense but this is a 
long thread and I'm not entirely sure which of the suggested solutions 
you mean.

-Dan Veditz
Received on Tuesday, 18 February 2014 18:15:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC