W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

RE: Non-browser implementation of CSP (was Re: CSP3 as a polylithic set of modules?)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Mon, 5 Oct 2015 18:25:49 +0100
To: "'Brian Smith'" <brian@briansmith.org>, "'Mike West'" <mkwst@google.com>
Cc: <public-webappsec@w3.org>, "'Brad Hill'" <hillbrad@gmail.com>, "'Dan Veditz'" <dveditz@mozilla.com>, "'Mark Nottingham'" <mnot@mnot.net>, "'Travis Leithead'" <Travis.Leithead@microsoft.com>
Message-ID: <149701d0ff92$e1422160$a3c66420$@baycloud.com>
Safari on OSX and MS Edge both support at least some of CSP 2, e.g. CSP via meta tags, which Firefox did not last time I looked.

 

From: Brian Smith [mailto:brian@briansmith.org] 
Sent: 05 October 2015 18:07
To: Mike West <mkwst@google.com>
Cc: public-webappsec@w3.org; Brad Hill <hillbrad@gmail.com>; Dan Veditz <dveditz@mozilla.com>; Mark Nottingham <mnot@mnot.net>; Travis Leithead <Travis.Leithead@microsoft.com>
Subject: Re: Non-browser implementation of CSP (was Re: CSP3 as a polylithic set of modules?)

 

On Mon, Oct 5, 2015 at 2:46 AM, Mike West <mkwst@google.com <mailto:mkwst@google.com> > wrote:

On Thu, Oct 1, 2015 at 7:39 PM, Brian Smith <brian@briansmith.org <mailto:brian@briansmith.org> > wrote:

One of the problems with CSP as enforced in browsers today is that, even when the browser blocks an XSS from loading some content, the HTML of the XSS is still in the DOM. I'd like to find some way of preventing the XSS from ever making it into the DOM. And, I'd like to be able to separate out the parts of CSP that can be done production-side from the parts that have to be done by the browser (e.g. redirects).

 

What is the value of that separation?

 

I understand that it could help template-engine developers add CSP-related features into their engines. Is that the extent of the benefit?

 

Yes, but anything that would encourage the development of template-engine-enforced CSP would be a large benefit. That's especially true if Safari and MSIE aren't implementing CSP 2 any time soon.

 

Cheers,

Brian

-- 

https://briansmith.org/

 
Received on Monday, 5 October 2015 17:26:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC