bsterne wrote: > I think that CSP should be considered part of the browser security > model. Mike and others have made the excellent point that there are > significant costs to bear for a website that wants to start using this > model: policy development as well as migrating inline scripts to > external script files. Websites will not be willing to pay this cost > if user agents are not strongly committed to enforcing the policies. > We won't be able to make security guarantees like "XSS will never > happen on your site", but we can provide smaller guarantees like > "inline script will not execute in this page if the CSP header is > sent".
I completely agree that we should make these guarantees, in the sense that if that doesn't work, it's a bug :-) That's not the sort of guarantee I'm objecting to. The sort I'm objecting to is "you don't have to validate and escape user input properly because even if you let a <script> tag through accidentally, CSP will catch it and save you". Some understandings of "CSP being strongly part of the browser security model" would have us making such guarantees. And I think they would be a mistake. If "CSP being strongly part of the browser security model" just means "we guarantee that it does what it says on the tin" then I have no problem with it :-) My reduced commitment to guarantees was not designed as an ass-covering measure for shoddy coding ;-) Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
