- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 16 May 2013 09:47:35 -0700
- To: Eduardo' Vela <evn@google.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Thursday, 16 May 2013 16:48:07 UTC
On 5/1/2013 12:32 AM, Eduardo' Vela wrote: > On the other point, I assume that means sites that want ads won't be > able to use CSP? Why not? The site knows who its ad partners are and can whitelist them. It may require ad providers to be more forthcoming about their hidden partnerships and sub-contractors. The fact that site authors don't know that their ad provider is injecting random 4th and 5th party crap into their pages is a security problem in the first place. If CSP proves successful at stopping XSS in practice then there will be a market for CSP-friendly ad providers. -Dan Veditz
Received on Thursday, 16 May 2013 16:48:07 UTC