Bil Corry wrote:
CSP is non-trivial; it takes a bit of work to configure it properly and requires on-going maintenance as the site evolves. It's not targeted to the uninformed author, it simply isn't possible to achieve that kind of coverage -- I suspect in the pool of all authors, the majority of them don't even know what XSS is, let alone ways to code against it and using CSP to augment defense.
But did you try to get feedback, not from the average site author, but from those who have experience at successfully protecting against XSS large sites that evolve frequently ?
If the syntax has to be ugly, then there should be a tool that takes a site and calculates the appropriate CSP declarations.
PS : Sorry for the multi-posting earlier, I was trying to cross-post to www-arch...@w3.org but it didn't work and I did not know it had sent the message to the group.
_______________________________________________ dev-security mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security