Jean-Marc Desperrier wrote on 7/17/2009 11:18 AM: 
> Bil Corry wrote:
>> CSP is non-trivial; it takes a bit of work to configure it properly
>> and requires on-going maintenance as the site evolves.  It's not
>> targeted to the uninformed author, it simply isn't possible to
>> achieve that kind of coverage -- I suspect in the pool of all
>> authors, the majority of them don't even know what XSS is, let alone
>> ways to code against it and using CSP to augment defense.
> But did you try to get feedback, not from the average site author, but
> from those who have experience at successfully protecting against XSS
> large sites that evolve frequently ?

It's my opinion that anyone with experience configuring rules for firewalls and 
WAFs to protect large sites by will find CSP very understandable and 
approachable.  In fact, when compared to the syntax for iptables[1] or 
modsecurity[2], CSP is actually much simpler to understand and implement and is 
on par with the syntax of a similar technology, ABE[3].

> If the syntax has to be ugly,

It has to be functional; do you have specific suggestions on how the syntax 
should look?

> then there should be a tool that takes a
> site and calculates the appropriate CSP declarations.

I agree that a browser plug-in to do this would be helpful.

> In fact a solution could be that everytime the browser reject
> downloading a ressource due to CSP rules, it spits out a warning on the
> javascript console together with the minimal CSP authorization that
> would be required to obtain that ressource.
> This could help authors to write the right declarations without
> understanding much to CSP.

This could work too.  Or a tool that imports the Violation Report and allows an 
author to generate rules to allow the violation in the future.

- Bil


dev-security mailing list

Reply via email to