- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 15 Jul 2014 20:25:14 -0700
- To: Gregory Huczynski <gh_online@me.com>, public-webappsec@w3.org
On 7/15/2014 12:47 AM, Gregory Huczynski wrote: > There was no input to the consensus decision from any individuals or > companies who make popular bookmarklets or extensions - who would like a > say on this change if they were aware of it. I will be making such > individuals and companies aware of the CSP 1.1 draft, such that they > have an opportunity to comment before the deadline closes on 13 August 2014. Both the Firefox and Chrome implementors of CSP would like the 1.0 language to be true, but it is technically hard to distinguish wanted injected content from an attack. That is especially true for bookmarklets which are pure XSS by definition, even if "good" XSS. More useful than arguing about the spec language would be writing patches implementing clever ideas to fix the problem. If you know someone with the time and coding chops for Firefox in particular I have some ideas but no time to implement. Look me up on the mozilla dev lists or irc. -Dan Veditz
Received on Wednesday, 16 July 2014 03:25:47 UTC