On Apr 13, 2012, at 10:22 AM, Joe Walker wrote: > We can't and shouldn't, attempt to provide 100% protection for all forms of > stupidity here. This is a response to a specific class of problems, involving > some sort of viral propagation. > Therefore the long tail of sites doesn't need protection, since they don't > have the userbase that can exhibit this behaviour. We think that anyone that > can support the number of users that makes this kind of thing viable (only > Facebook, it seems, right now) can easily make use of this - i.e. it's only > likely to be of interest to people that are already thinking about CSP. > It's clear from experience that the instructions to turn on a pref to disable > this protection are too complex to be viable. As noted elsewhere, we only > need to be harder than Windows+R/cmd to not be the low hanging fruit.
I think Joe's framing here is exactly right. Not only do I not want to make our developer tools first-run experience less pleasant by adding warnings, but I also doubt that easily-dismissed warnings would be genuinely effective at protecting our users (and the less easily dismissed, the more terrible the user experience.) I think the CSP directive is a better balance of keeping the tools pleasant to use the vast majority of the time, while still giving the short-head sites that are actually targeted by these self-xss worms a reasonably durable solution. J --- Johnathan Nightingale Sr. Director of Firefox Engineering
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
