> Fair enough - although I worry that the likelihood of people using
> this in conjunction with tightly-scoped per-document CSP (versus the
> far more likely scenario of just having a minimal XSS-preventing
> site-wide or app-wide policy that will definitely not mitigate #3 and
> probably do nothing for #1) are pretty slim.

In fact, the XSS-preventing part is probably a stretch. Facebook and
Twitter are often mentioned as the two most significant customers for
CSP, but both use unsafe-inline and unsafe-eval.

On top of that, note that #3 is not defeated by origin-scoped rules -
you need to specify full paths.

Honestly, if we're creating a mechanism that implies that a degree of
protection is provided for password fields, we should either make it
work on its own, *or* at the very minimum require a CSP with
form-action specified, and otherwise warn or better yet, break fields
flagged as writeonly.


Reply via email to