Re: A modest content security proposal - use of "unsafe"

I'm thinking mostly of the conversation around `unsafe-eval`, which some
developers took as a much more damning critique of their chosen programming
methods than I think we'd intended. I don't think that label, in
particular, was helpful.

I don't think I'd object to `unsafe-whatever` labels in whatever we do
next, but I would like to make sure that we generally think it's going to
be helpful to developer education on balance.


On Thu, Jul 18, 2019 at 3:03 PM Craig Francis <>

> In regards to the first bit, about the "unsafe" prefixes...
> When discussing best coding practices with other programmers, it has
> helped me confirm/show inline JavaScript is unsafe ("see, even the browsers
> are telling you it's unsafe").
> And it makes it easy to write about in a pen-test report, where it hardly
> needs an explanation (admittedly it's complicated by the nonce based
> approach, which needs it for backwards compatibility).
> I also believe it's being introduced/used in some programming languages
> (Rust and Haskell?) and some frameworks (unfortunately I don't have
> direct examples of these, just overhearing programmers talking about it in
> a positive way).
> On 16 Jul 2019, at 11:54, Mike West <> wrote:
> Thanks for your feedback! I'll concentrate on the resource confinement
> feedback, as it's the part I've thought least about, and I'd like to
> understand your perspective!
> On Mon, Jul 15, 2019 at 2:15 PM Craig Francis <>
> wrote:
>> Initial thoughts from a web developer, one that really likes CSP...
>> I like the idea of the browser providing the nonce, and that being used
>> to white-list scripting - it feels like a good way to prove the website did
>> intend to include that script. It also means the browser knows the nonce is
>> random/unique (where developers should still be careful, you're reflecting
>> a value back in your HTML).
>> And simplifying the process by locking down <base>, <object>,
>> "javascript:" URLs, etc; that should set a good/simplier baseline (where I
>> think "allow" should be re-named "allow-unsafe", and I would prefer eval to
>> be "block" by default).
> In hindsight, I don't think the `unsafe-` prefixes made us any friends in
> the development community. Nor do I think they stopped anyone from doing
> unsafe things. It just made them irate while they were doing so. :)

Received on Tuesday, 23 July 2019 07:34:09 UTC