Talk:Content Security Policy

From OWASP
Revision as of 04:49, 30 April 2013 by Dimisec (Talk | contribs)

Jump to: navigation, search

I don't think this belongs correctly to the OWASP Java Project since CSP deals with browser security and server-client protocol (HTTP headers), independently of the specific server implementation. You can send the CSP headers from any possible HTTP server - Java, ASP, PHP/Apache, NodeJS etc. Personally, I find that the lengthy Java implementation example may distract from the main issues and the choices / tradeoffs that people thinking about implementing the CSP in their sites would have to make. Also, regarding the following:

> Inline script will be allowed because inline scripting it's commonly used (can be disabled if target site do not use this type of scripting)

I think this does not make it clear that unsafe-inline removes a lot of anti-XSS protection and therefore most of the benefits of using the CSP.

> This article is based on version 1.1 of the W3C specification. I believe 1.1 is not yet fully complete, and the implementations are based mostly on 1.0 (need to double-check). I think 1.0 would be the better fit for this page - need to look into how significant the changes are.