- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Thu, 16 Jul 2009 17:25:36 -0400
On Thu, Jul 16, 2009 at 4:25 PM, Jonas Sicking<jonas at sicking.cc> wrote: > We've actually proposed it to the webapps list, but got little to no > response. I'm not sure if we at this time have anyone that would have > the resources to offer to be editor for a W3C CSP spec, if any of the > WGs there are interested to host it. > > So in short, yes, we'd love to have it standardized, but so far > haven't found a path to make that practically happen. > > But, as Mike said, we'd love to get feedback, and we'd love to get it > now. So far most of the feedback we've gotten has been "looks > interesting" which we take as a pretty good sign, but a little lacking > in detail :) As a web developer, I'd say it looks awesome. It could allow at least major web apps and big sites (i.e., those willing to put in the effort) to become almost immune to XSS, while XSS in complicated web apps seems to be as inevitable as death and taxes right now. XSS is to web apps right now kind of like what buffer overflows are to C: probably there are some people or institutions that are careful enough to *always* get it right, but there sure aren't many. Of course, if only Mozilla implements it, it will be of limited value. I was concerned that none of the announcements said anything about standardizing it or working with other browser vendors, just about what Mozilla was doing. I'm glad to hear that it's not intended to be Mozilla-specific, and hope other browsers pick up on it. report-uri would still be really useful even if only Mozilla implemented the spec, as long as Firefox has good market share. That's a particularly cool feature, I wouldn't have thought of it. I guess this approach has pitfalls. Every admin will have to manually specify that they accept scripts from Analytics/their ad provider/etc., etc. I guess for web apps, they could still ship with CSP enabled by default, and just require admins to add new script links through some interface that automatically updates the policy. What I'd really love to see is if all major web apps could at some point ship with full CSP enabled by default. I'm not clear yet on whether it would work in practice, or if it would break too many things and we'd realistically have to leave it opt-in. I'm hoping that report-uri would be a good solution to this: the app could have a page that would automatically mail the admin with enough instructions that they could fix the problem easily whenever one occurs. Is there support in the spec for pinging the report-uri on violations, but still allowing the violation to go through? That could allow much easier deployment, so that you could verify that your policy wasn't blocking anything legitimate. I don't see it anywhere, but I didn't look very hard. So those are my comments. In short, I think the idea is great. I can pretty much guarantee that Wikimedia will be interested in trying it out as soon as there are dev builds of Firefox that support it, especially if we can have it report-only initially.
Received on Thursday, 16 July 2009 14:25:36 UTC