- From: Chris Palmer <palmer@google.com>
- Date: Mon, 16 Apr 2018 16:21:09 +0000
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: William Sharkey <williamsharkey@gmail.com>, public-webappsec@w3.org
Received on Monday, 16 April 2018 16:22:09 UTC
On Sat, Apr 14, 2018 at 10:03 AM Devdatta Akhawe <dev.akhawe@gmail.com> wrote: I feel like a lot (most?) of the security headers and stuff we build > is to help site operators (esp security teams for webapps) not make > mistakes. Everyone could in theory write a secure site but in practice > it is very hard. The same argument applies to CSP whitelist sources, > suborigins, the referrer-policy header and so on. Setting it in one > place makes security engineering's job a lot easier and the likelihood > of bugs much lower. > Absolutely. But in the original post, I sensed a possibility that such a mechanism could grow to become a promise to users, in a way that I think CSP has not. (And, when I have heard of this or similar threat models before, it was explicitly expressed as a promise from the site operators to the users. Maybe that's not what the original poster intended, but I'm always on the look-out for promises we might be making but can't keep.)
Received on Monday, 16 April 2018 16:22:09 UTC