User: Password:
Subscribe / Log in / New account

Mozilla's Content Security Policy

Mozilla's Content Security Policy

Posted Jul 9, 2009 13:03 UTC (Thu) by swiftone (guest, #17420)
In reply to: Mozilla's Content Security Policy by butlerm
Parent article: Mozilla's Content Security Policy

Unless your application has a large number of places that are vulnerable to being incorrectly coded to output large user submitted text fields without encoding or user submitted html content without sanitization checks, the added value of this system is approximately zero.

Any site that accepts user input has places that are vulnerable to being incorrectly coded. And as simple as correct coding is it doesn't take much effort to discover that a large number of sites are doing poorly at doing so, either because it turns out that cleansing input is non-trivial after all, or because it is easy to be lazy.

It takes only one developer to screw up in one place to leave a site vulnerable. Because of attacks like Cross Site Request Forgery (Generating a request to a different app that the user is authenticated to) a developer on one app can leave another otherwise secure app vulnerable.

This policy allows the server administrator to greatly reduce the threat in a single fell-swoop. I would not call that added-value "zero".

Meanwhile the cost is:

  • No inline JS - Not a problem, inline JS in considered a poor practice in terms of accessibility and maintenance. Use progressive enhancement techniques anyway.
  • JS in outside files - Again, a best practice in terms of maintenance and code-reuse.
These costs seem far from prohibitive for the benefit in my opinion.

It is true that this makes dynamically generated javascript difficult. Who (outside of attackers) uses dynamically generated javascript? With the large array of stable and useful JS lubraries available, there should be no need for such butchery. (JSON parsers/generators are specifically mentioned as not being a problem in the CSP FAQ). Is there some bastion of useful dynamically generated JS that I am unaware of?

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds