On Mon, Oct 5, 2015 at 2:46 AM, Mike West <mkwst@google.com> wrote:
> On Thu, Oct 1, 2015 at 7:39 PM, Brian Smith <brian@briansmith.org> wrote:
>
>> One of the problems with CSP as enforced in browsers today is that, even
>> when the browser blocks an XSS from loading some content, the HTML of the
>> XSS is still in the DOM. I'd like to find some way of preventing the XSS
>> from ever making it into the DOM. And, I'd like to be able to separate out
>> the parts of CSP that can be done production-side from the parts that have
>> to be done by the browser (e.g. redirects).
>>
>
> What is the value of that separation?
>
> I understand that it could help template-engine developers add CSP-related
> features into their engines. Is that the extent of the benefit?
>
Yes, but anything that would encourage the development of
template-engine-enforced CSP would be a large benefit. That's especially
true if Safari and MSIE aren't implementing CSP 2 any time soon.
Cheers,
Brian
--
https://briansmith.org/