Gervase Markham <[email protected]> wrote: > Security is a multi-faceted beast. Point taken, and I agree, it was a crappy analogy.
> Again, CSP is here being used as a front line of > defence, and it shouldn't be. I agree with you... optimally, CSP should not be front-line defense. But for it to be helpful in practice, there must be a motivation for people to put it on their sites. What worries me is that with no assurance that they're enforced, CSP policies won't be provided by web sites since it takes time (granted, not much of it) to compose them. It's likely that a profit-driven company might rather have their engineers spend time fuzzing or bug fixing than designing a good CSP string that may or may not ever be used. One point of view is, screw 'em... sites that don't provide CSP will just be vulnerable to more XSS attacks, and it is only skin off their own back. On the other hand, the client through his browser is usually the real victim, not the site, and I think we want to encourage sites to give as much protection to the client as possible. This might mean tailoring CSP a bit to give companies motivation to put CSP into their sites. Though, perhaps in the long run a good policy can help them later identify possible vulnerabilities, it may not be obviously beneficial in the short run and won't be enough to make up for the fact that the site can't tell whether or not if their CSP is helping out at all (and so they won't provide it). > Another feature of CSP is "herd immunity" - > it doesn't have to be used by everyone to > be helpful. Surely using CSP won't *hurt*, but I think that it will only help the people who use it. Herd immunity applies mainly to viral spreads or epidemics, and I would argue that most of what CSP prevents are not viral attacks. A few browsers with CSP can help slow an XSS worm from spreading to the rest of the "herd", but it won't change the persistent or reflected XSS attacks to steal contact lists or deface a site that doesn't use CSP. These one-shot (non-viral) attacks only become less frequent when it becomes more futile to try. CSP actually has to be adopted enough by sites in practice (and not just theorized) to make attacks it prevents less attractive, and thus reduce the overall number of attempted attacks. For instance, if only 10% of visitors to an XSS-defaced site enforce CSP, attackers will probably still deface that site because 90% isn't bad. If we can make it irrational to attack a site (by having 60% of browsers and sites implement CSP), then we'll see attackers stop trying. Until then, only those implementing CSP will get the benefit of extra security. -Sid _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
