Re: On the Insecurity of Whitelists and the Future of CSP from Daniel Veditz on 2016-09-08 (public-webappsec@w3.org from September 2016)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 8 Sep 2016 08:31:40 -0700
To: Anne van Kesteren <annevk@annevk.nl>, Artur Janc <aaj@google.com>
Cc: Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C Web App Security WG <public-webappsec@w3.org>, craig.francis@gmail.com
Message-ID: <f2500b77-6348-761c-f5ff-6994417c2f93@mozilla.com>

On 9/8/16 3:47 AM, Anne van Kesteren wrote:
> Some of these can stopped using same-site cookies I think. Not sure
> about the others, but we should try to plug those too.

Same-site cookies are a defense against CSRF--which is great because
nothing in CSP helps with CSRF--but that's about all they do.

-Dan Veditz

Received on Thursday, 8 September 2016 15:32:43 UTC