Bil Corry wrote:
CSP is non-trivial; it takes a bit of work to configure it properly
and requires on-going maintenance as the site evolves.  It's not
targeted to the uninformed author, it simply isn't possible to
achieve that kind of coverage -- I suspect in the pool of all
authors, the majority of them don't even know what XSS is, let alone
ways to code against it and using CSP to augment defense.

But did you try to get feedback, not from the average site author, but from those who have experience at successfully protecting against XSS large sites that evolve frequently ?

If the syntax has to be ugly, then there should be a tool that takes a site and calculates the appropriate CSP declarations.

In fact a solution could be that everytime the browser reject downloading a ressource due to CSP rules, it spits out a warning on the javascript console together with the minimal CSP authorization that would be required to obtain that ressource. This could help authors to write the right declarations without understanding much to CSP.

PS : Sorry for the multi-posting earlier, I was trying to cross-post to but it didn't work and I did not know it had sent the message to the group.
dev-security mailing list

Reply via email to