W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: On the Insecurity of Whitelists and the Future of CSP

From: Mike West <mkwst@google.com>
Date: Thu, 8 Sep 2016 15:10:10 +0200
Message-ID: <CAKXHy=cf_F=J1eEt_CqSgcj2vkc3nD_9TU01bvscBzxZeN4r=w@mail.gmail.com>
To: Christoph Kerschbaumer <ckerschbaumer@mozilla.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Artur Janc <aaj@google.com>, "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C Web App Security WG <public-webappsec@w3.org>, Craig Francis <craig.francis@gmail.com>
On Thu, Sep 8, 2016 at 2:08 PM, Christoph Kerschbaumer <
ckerschbaumer@mozilla.com> wrote:

> That's what I meant earlier. If we can provide better ways of stopping
> unwanted script from executing, then the exfiltration is less of an issue.
> I think the strict-dynamic approach can provide better security in that
> sense. Still, the syntax issue needs to be discussed. As in our precious
> email discussion, I think TPAC is probably a good venue, where all the
> people interested are sitting on one table.

What syntax issue do we need to discuss? If there are remaining syntax
questions, we should resolve them quickly, as Chrome is shipping what's
currently in the spec, and Google sites are beginning to rely on the
currently specified behavior. :)

Received on Thursday, 8 September 2016 13:11:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC