Redundancsp ˈɹɪdʌndən̩(t)siː-ɛs-piː 1. The phrase "CSP policy"
To borrow a page from IETF's book: "We believe in rough consensus and running code." New more elegant mechanisms are great, but they take time and don't always end up shipping. However unsatisfying, ugly existing mechanisms which do the job... do the job.
-
-
"Which do the job"... of confusing devs and security team mostly, as exemplified by pentest results, numerous papers, and my humble experience. In practice, I'm afraid CSP doesn't work (for XSS) nearly as well as it's been expected of it.
-
Absolutely no argument from me regarding developer confusion, etc. I mean "do the job" in the narrow sense of already supporting those restrictions that we'd want to port to the New Thing (e.g. requiring nonces/hashes to execute scripts).
-
Understood. But there is already full support for those in major UAs. Why keep fiddling with the CSP still? Isn't it better to just move on and work on the reboot?
-
I think this is exactly what
@mikewest is suggesting :) The main thing is that "fiddling" with CSP3 results in features which help solve the problems mentioned by @0x6D6172696F (e.g. hashes for event handlers instead of 'unsafe-inline') *and* have a chance of shipping this year.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.