[WEB SECURITY] Thoughts on Content Security Policy?

Terri Oda terri at zone12.com
Fri Jul 3 17:37:08 EDT 2009


bugtraq at cgisecurity.net wrote:
>> So yeah, the basic idea has a lot of merit, but as the proposal stands 
>> right now, I'm not sure it can gain the necessary traction to make it 
>> useful.
> 
> More work is needed for sure, such things aren't to be taken lightly or implemented to quickly
> without properly factoring in all the messed up use cases that exist. 

For sure -- and I'm really glad to see lots of good comments moving CSP 
forwards, even if I'm not ready to give it a hearty endorsement myself!

I'm going to disagree about not doing early implementations, though.  As 
long as you're willing to throw away early implementations when better 
designs come along, there's a lot to be gained from testing stuff out on 
real web pages before the design is completely firm.  We found this when 
implementing SOMA, which is superficially similar to the early version 
of CSP when it was still called "Site Security Policy."


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list