Sid Stamm wrote: > Gervase Markham <[email protected]> wrote: >> Security is a multi-faceted beast. > Point taken, and I agree, it was a crappy analogy. > >> Again, CSP is here being used as a front line of >> defence, and it shouldn't be. > I agree with you... optimally, CSP should not be front-line defense. > But for it to be helpful in practice, there must be a motivation for > people to put it on their sites. > > What worries me is that with no assurance that they're enforced, CSP > policies won't be provided by web sites since it takes time (granted, > not much of it) to compose them. It's likely that a profit-driven > company might rather have their engineers spend time fuzzing or bug > fixing than designing a good CSP string that may or may not ever be > used.
It really doesn't take long - it's not a complicated spec. I'm not sure we need to make it "more attractive" by promising what we can't deliver. >> Another feature of CSP is "herd immunity" - >> it doesn't have to be used by everyone to >> be helpful. Sorry, I realise that in hindsight I was ambiguous here. I meant that not all end-users have to use it for it to be helpful in the case of a particular site which is using it. I say this because once the site owner is warned of the problem, he can fix it. If no-one has CSP, it may take much longer for people to notice the compromise. Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
