On Mon, Jun 29, 2009 at 6:36 PM, Gregory Maxwellgmaxwell@gmail.com wrote:
Shutting Down XSS with Content Security Policy http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-s...
I'm usually the first to complain about applying technical solutions to problems which are not fundamentally technical... but this looks like it would be reasonably expedient to implement.
While it won't be effective for all users the detection functionality would be a big improvement in wrangling these problems across the hundreds of Wikimedia projects, many of which lack reasonable oversight of their sysop activities.
I think this would be reasonable to consider implementing as soon we have a significant number of users using it. It isn't a good idea to make CSP policies that won't actually be effective immediately for a lot of people, because then we'll probably use it incorrectly, break tons of stuff, and not even notice for months or years (possibly even harming uptake of the first version of Firefox to support it).
This does seem to be Mozilla-only, though. If it were an open specification that multiple vendors were committed to implementing, that would make it significantly more attractive. I wonder why Mozilla isn't proposing this through the W3C from the get-go.
We'd have to do some work to get full benefit from this, since we currently use stuff like inline script all over the place. But it would be fairly trivial to use only *-src to deny any remote loading of content from non-approved domains, and skip the rest. That would at least mitigate XSS some, but it would stop the privacy issues we've been having cold, as you say.