Gervase Markham wrote:
Sid Stamm wrote:
What worries me is that with no assurance that they're enforced, CSP
policies won't be provided by web sites since it takes time (granted,
not much of it) to compose them. It's likely that a profit-driven
company might rather have their engineers spend time fuzzing or bug
fixing than designing a good CSP string that may or may not ever be
used.
It really doesn't take long - it's not a complicated spec. I'm not sure
we need to make it "more attractive" by promising what we can't deliver.
One concern is the time and effort required to refactor existing code to
use only external scripts (a non-trivial task). Development of new web
code can take this restriction into account but still requires
deliberate effort throughout the development cycle to maintain support
for CSP.
I think utilizing CSP will be a very conscious decision by web site
operators, weighing the benefits CSP offers, the cost of implementing
and maintaining CSP support, and the risks of not adding CSP to their
web site. While it would be nice to have a low cost, effective, add-on
layer of security, it seems the requirement of no inline script code
adds significantly to the cost of CSP. Therefore site owners should be
able to estimate the benefit CSP will give them by measuring the level
of browser support among the site's visitors, so it can be weighed
against the cost of CSP deployment.
Is it correct that the rule against inline scripts is in effect for all
CSP policies, even when script-src is not used?
Mike
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
