Re: [referrer] HTTPS->HTTP from Ian Melven on 2014-10-27 (public-webappsec@w3.org from October 2014)

From: Ian Melven <ian.melven@gmail.com>
Date: Mon, 27 Oct 2014 11:17:12 -0700
To: Mark Nottingham <mnot@mnot.net>
Cc: Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>, Jochen Eisinger <eisinger@google.com>, Brian Smith <brian@briansmith.org>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CA+0m=FciEdNLOSp3R8csS9PEL1f=1TuVGxw6zR+C=uq84T_6TA@mail.gmail.com>

>
> I do wonder (like Brian) whether this is really CSP, or something
> separate; it seems like a lot of things are getting shoved into CSP because
> that’s the tool at hand…
>
>
This 'CSP as a kitchen sink' issue has been a concern for some time (since
CSP was first proposed, as i understand it) and it does seem to be
happening to some degree.

Along these lines I will cite what I consider to be the most interesting
piece of
https://www.veracode.com/blog/2014/10/security-headers-top-1000000-websites-october-2014-report
here :

"One thing that seems clear; simple, single purpose security headers
continue to have wider adoption because their effects are well known and
they are extremely easy to configure."

the article then goes on to argue that this is one reason CSP sees lower
adoption but i personally think it's more about nonce and hash whitelisting
of selected inline scripts and getting those shaken out in implementations.

cheers,
ian

Received on Monday, 27 October 2014 18:17:39 UTC