On Mon, Jun 29, 2009 at 6:36 PM, Gregory Maxwell<gmaxwell(a)gmail.com> wrote:
Shutting Down XSS with Content Security Policy
http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-…
I'm usually the first to complain about applying technical solutions
to problems which are not fundamentally technical... but this looks
like it would be reasonably expedient to implement.
While it won't be effective for all users the detection functionality
would be a big improvement in wrangling these problems across the
hundreds of Wikimedia projects, many of which lack reasonable
oversight of their sysop activities.
I think this would be reasonable to consider implementing as soon we
have a significant number of users using it. It isn't a good idea to
make CSP policies that won't actually be effective immediately for a
lot of people, because then we'll probably use it incorrectly, break
tons of stuff, and not even notice for months or years (possibly even
harming uptake of the first version of Firefox to support it).
This does seem to be Mozilla-only, though. If it were an open
specification that multiple vendors were committed to implementing,
that would make it significantly more attractive. I wonder why
Mozilla isn't proposing this through the W3C from the get-go.
We'd have to do some work to get full benefit from this, since we
currently use stuff like inline script all over the place. But it
would be fairly trivial to use only *-src to deny any remote loading
of content from non-approved domains, and skip the rest. That would
at least mitigate XSS some, but it would stop the privacy issues we've
been having cold, as you say.