After reading the specs, it is clear that the main aim is to prevent executable code within HTML files. I do agree that CSP enables web developers to create more secure websites. In my view there is one problem:
How is CSP going to prevent lousy web developers to include all their dynamic content in Javascript files? I see a risk that webdevelopers create empty HTML files and include all the content in generated javascript files. (maybe future versions of web-frameworks will support CSP like this??). In these situation CSP more or less shifted the problem from *.html to *.js files. Should we consider this situation? Or should we just ignore web developers that do not understand the web standards? To prevent this we should have some requirements about the static nature of the js files. One mechanism that might implement this is adding requirements for static js files by requiring code-signed javascript files (is this possible at the moment? http://www.mozilla.org/projects/security/components/signed-scripts.html describes signed scripts, however it requires the creation of a *.jar). In such a situation code signed javascript should be signed by an offline key. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
