On Mon, Oct 5, 2015 at 2:46 AM, Mike West <mkwst@google.com> wrote: > On Thu, Oct 1, 2015 at 7:39 PM, Brian Smith <brian@briansmith.org> wrote: > >> One of the problems with CSP as enforced in browsers today is that, even >> when the browser blocks an XSS from loading some content, the HTML of the >> XSS is still in the DOM. I'd like to find some way of preventing the XSS >> from ever making it into the DOM. And, I'd like to be able to separate out >> the parts of CSP that can be done production-side from the parts that have >> to be done by the browser (e.g. redirects). >> > > What is the value of that separation? > > I understand that it could help template-engine developers add CSP-related > features into their engines. Is that the extent of the benefit? > Yes, but anything that would encourage the development of template-engine-enforced CSP would be a large benefit. That's especially true if Safari and MSIE aren't implementing CSP 2 any time soon. Cheers, Brian -- https://briansmith.org/
Received on Monday, 5 October 2015 17:07:38 UTC