Difference between revisions of "Talk:Content Security Policy"

From OWASP
Jump to: navigation, search
(discussion of the CSP page)
 
m (1.0 vs 1.1 W3C spec)
Line 4: Line 4:
  
 
I think this does not make it clear that unsafe-inline removes a lot of anti-XSS protection and therefore most of the benefits of using the CSP.
 
I think this does not make it clear that unsafe-inline removes a lot of anti-XSS protection and therefore most of the benefits of using the CSP.
 +
 +
> This article is based on version 1.1 of the W3C specification.
 +
I believe 1.1 is not yet fully complete, and the implementations are based mostly on 1.0 (need to double-check).  I think 1.0 would be the better fit for this page - need to look into how significant the changes are.

Revision as of 04:49, 30 April 2013

I don't think this belongs correctly to the OWASP Java Project since CSP deals with browser security and server-client protocol (HTTP headers), independently of the specific server implementation. You can send the CSP headers from any possible HTTP server - Java, ASP, PHP/Apache, NodeJS etc. Personally, I find that the lengthy Java implementation example may distract from the main issues and the choices / tradeoffs that people thinking about implementing the CSP in their sites would have to make. Also, regarding the following:

> Inline script will be allowed because inline scripting it's commonly used (can be disabled if target site do not use this type of scripting)

I think this does not make it clear that unsafe-inline removes a lot of anti-XSS protection and therefore most of the benefits of using the CSP.

> This article is based on version 1.1 of the W3C specification. I believe 1.1 is not yet fully complete, and the implementations are based mostly on 1.0 (need to double-check). I think 1.0 would be the better fit for this page - need to look into how significant the changes are.