Sorry I haven't been more vocal on this thread lately. I think it's important that we keep our momentum moving forward here if we hope to get something meaningful implemented any time soon.
I am getting the sense that we aren't in agreement on one or two of the fundamental goals of this project and I think it potentially jeopardizes overall progress if we are working with different base assumptions. My near-term goal is to start driving toward a stable design (if not specification) for CSP. The design is certainly still open for comments and feedback, but those discussions will be easier to resolve after we've settled the issue of project goals. More below... On Dec 23 2008, 7:34 am, Gervase Markham <g...@mozilla.org> wrote: > I am not arguing we should make CSP work a random 50% of the time. I am > arguing that CSP is not a "security model", it's a "phew, I would have > just got stuffed, but it saved me this time" model. Security models are > things you rely on. CSP is a second line of defence for when your > security model fails, and it doesn't promise to save your ass every time. I think that CSP should be considered part of the browser security model. Mike and others have made the excellent point that there are significant costs to bear for a website that wants to start using this model: policy development as well as migrating inline scripts to external script files. Websites will not be willing to pay this cost if user agents are not strongly committed to enforcing the policies. We won't be able to make security guarantees like "XSS will never happen on your site", but we can provide smaller guarantees like "inline script will not execute in this page if the CSP header is sent". I have previously agreed with Gerv's "belt-and-(suspenders|braces)" logic with regard to CSP as it had twofold appeal to me: 1) it is consistent with the defense-in-depth approach found elsewhere in computer security, and 2) it provided an escape hatch from design flaws, implementation bugs, or other deficiencies later discovered with the model. It appears now, though, that this issue is impeding us a bit and I am going to weigh in on the side of stronger commitment to policy enforcement. Perhaps a stronger design is produced as the result of a firm commitment to CSP as a part of the browser security model (or perhaps it is required by such a commitment). _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
