|
Site:
SecurityThere have been a number of web security policies proposed over the past year or so that have caused me more than passing concern. I've tried to reconcile myself with what I consider to be simply wrong-headed ideas since the ill-effect was not too large. But this crosses the line: http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-security-policy/ My first reaction was that Content Security Policy (CSP) was a light-hearted joke, but it doesn't appear to be. My response: I appreciate your efforts to bolster security on the web, but this is an over-reaction. Has anyone conducted any decent risk analysis of XSS attacks? Involving hard estimates of probabilities and utilities (or at least economic costs)? Has anyone compared these costs to breaches of security via other means? (i.e. viruses, malware, browser holes, server exploits, psychological tricks) Would the costs be within even an order of magnitude? Would the costs be within even several orders of magnitude?
Please answer these questions before you consider radically changing the culture of the web.
As far as I can tell, all public website XSS problems can be solved very simply by fixing 3rd party cookie security rights (a la web fonts, XHR, etc.) and using sandboxes. The fact that cross-site cookies today aren't treated with the same gravity as cross-site XHR et al. (by all browser makers) is an absolute scandal.
This proposal is an inappropriate response to the problem: it is 10 years in jail for littering. Please --- *please* --- consider what you are doing very carefully before proceeding.
To be clear, I understand that CSP isn't intended to apply to every web page, so the issue isn't calamitous. It is nonetheless a drastic change to the culture of the web, and the very split between CSP and non-CSP pages causes problems of its own. |