> > I do wonder (like Brian) whether this is really CSP, or something > separate; it seems like a lot of things are getting shoved into CSP because > that’s the tool at hand… > > This 'CSP as a kitchen sink' issue has been a concern for some time (since CSP was first proposed, as i understand it) and it does seem to be happening to some degree. Along these lines I will cite what I consider to be the most interesting piece of https://www.veracode.com/blog/2014/10/security-headers-top-1000000-websites-october-2014-report here : "One thing that seems clear; simple, single purpose security headers continue to have wider adoption because their effects are well known and they are extremely easy to configure." the article then goes on to argue that this is one reason CSP sees lower adoption but i personally think it's more about nonce and hash whitelisting of selected inline scripts and getting those shaken out in implementations. cheers, ianReceived on Monday, 27 October 2014 18:17:39 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC