On Tue, Sep 29, 2015 at 5:47 AM, Brian Smith <brian@briansmith.org> wrote: > There's way too much emphasis on browser enforcement of CSP. Most of CSP > should be implemented by jQuery, React, PHP, etc., not by browsers. > Redirects make this impossible for the -src directives. We can't expose redirects to the page without violating the same origin policy--and there have been exploitable bugs that take advantage of the times we let some of them leak. We should not just forget about redirects . Anecdotally Gecko's internal implementation makes it easy for add-ons to filter URLs loaded explicitly from a page but doesn't handle redirects. Most add-ons that do load filtering--and all of the ones that do so for security reasons--have made the extra effort to capture redirects as well. CSP should be enforced well before the browser attempts a fetcth--before > the XSS even enters the DOM. For example, I hope that in CSP3, the > enforcement of CSP is browsers moved from fetch() processing to DOM > construction/mutation. > In practical terms that will spread enforcement all over the DOM engine whereas fetch() localizes it. Not to mention things like Workers that never go through the DOM. -Dan Veditz
Received on Sunday, 4 October 2015 16:43:56 UTC