Re: WebAppSec re-charter status

On Thu, Feb 12, 2015 at 8:01 PM, David Ross <drx@google.com> wrote:
>> Why does the intended audience of the feature matter? What matters is
>> what it does and how it can be used, no?
>
> I'll assume that the primary concern is with apps / sites that
> unintentionally block deep links due to legitimate EPR usage.  In this case
> the intended audience matters because it's targeted.

I'm not sure what the primary concern is. Making it impossible to
navigate to (or embed?) resources without going through a front door,
legitimate or not, is a concern.


>> There are other ways we could limit some of these too I think. E.g. by
>> introducing first-party and/or same-origin cookies.
>
> I think that would address XSRF but not XSS.  (?)

Well, that's one down, one to go.

So XSS is still a concern, but CSP helps with that. E.g. you could
have very restrictive CSP on all but a few pages that you control
carefully. That would be much less damaging to the web I think.


-- 
https://annevankesteren.nl/

Received on Thursday, 12 February 2015 20:07:43 UTC