Mozilla's Content Security Policy
Posted Jul 9, 2009 13:03 UTC (Thu) by swiftone
In reply to: Mozilla's Content Security Policy
Parent article: Mozilla's Content Security Policy
Unless your application has a large number of places that are vulnerable to
being incorrectly coded to output large user submitted text fields without
encoding or user submitted html content without sanitization checks, the
added value of this system is approximately zero.
Any site that accepts user input has places that are vulnerable to being incorrectly coded. And as simple as correct coding is it doesn't take much effort to discover that a large number of sites are doing poorly at doing so, either because it turns out that cleansing input is non-trivial after all, or because it is easy to be lazy.
It takes only one developer to screw up in one place to leave a site vulnerable. Because of attacks like Cross Site Request Forgery (Generating a request to a different app that the user is authenticated to) a developer on one app can leave another otherwise secure app vulnerable.
This policy allows the server administrator to greatly reduce the threat in a single fell-swoop. I would not call that added-value "zero".
Meanwhile the cost is:
- No inline JS - Not a problem, inline JS in considered a poor practice in terms of accessibility and maintenance. Use progressive enhancement techniques anyway.
- JS in outside files - Again, a best practice in terms of maintenance and code-reuse.
These costs seem far from prohibitive for the benefit in my opinion.
to post comments)