On Thu, 16 Jul 2009, Bil Corry wrote: > Ian Hickson wrote on 7/16/2009 5:51 AM: > > I think that this complexity, combined with the tendency for authors > > to rely on features they think are solvign their problems, would > > actually lead to authors writing policy files in what would externally > > appear to be a random fashion, changing them until their sites worked, > > and would then assume their site is safe. This would then likely make > > them _less_ paranoid about XSS problems, which would further increase > > the possibility of them being attacked, with a good chance of the > > policy not actually being effective. > > I think your point that CSP may be too complex and/or too much work for > some developers is spot on. Even getting developers to use something as > simple as the Secure flag for cookies on HTTPS sites is still a > challenge. And if we can't get developers to use the Secure flag, the > chances of getting sites configured with CSP is daunting at best.