- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 15 Oct 2014 08:16:03 -0700
- To: Mike West <mkwst@google.com>
- Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>, Jonas Sicking <jonas@sicking.cc>
> Fair enough - although I worry that the likelihood of people using > this in conjunction with tightly-scoped per-document CSP (versus the > far more likely scenario of just having a minimal XSS-preventing > site-wide or app-wide policy that will definitely not mitigate #3 and > probably do nothing for #1) are pretty slim. In fact, the XSS-preventing part is probably a stretch. Facebook and Twitter are often mentioned as the two most significant customers for CSP, but both use unsafe-inline and unsafe-eval. On top of that, note that #3 is not defeated by origin-scoped rules - you need to specify full paths. Honestly, if we're creating a mechanism that implies that a degree of protection is provided for password fields, we should either make it work on its own, *or* at the very minimum require a CSP with form-action specified, and otherwise warn or better yet, break fields flagged as writeonly. /mz
Received on Wednesday, 15 October 2014 15:16:57 UTC