14.4.3 Should Content Security Policy be L1 or should it be higher? #1297
Comments
tghosth
added
help wanted
_5.0 - prep
tghosth
changed the title
|
I support level 1. It's not some nuclear science. It's a "smell of security", if you don't have even CSP set, then usually it correlates well with general quality. |
elarlang
changed the title
|
I'm with @elarlang here, it is a good indicator of the basics and not hard to implement and for me, sets the tone for a lot moving forward. |
|
Additional point of view - if you think, that something in CSP declaration is too advanced for level one, we can split the requirement with clear goals. Like level 1 should take care that all the external sources are allow-listed with |
|
I guess the question is, how easy is it to backport for older applications? Is there a risk that by making this level1 we are stopping this level from being accessible to older applications that rely on functionality which would normally be blocked using CSP? |
|
14.4.3 does not really specify how well the CSP should protect against XSS. If you want a CSP that actually blocks all XSS, that could be next to impossible for legacy applications. If you slap a CSP: script-src=unsafe-inline on your legacy application, you have a CSP but have only minimal protection against XSS. But even that provides some protection, is easy to implement, and makes people think about which resources need to be permitted. I think requiring a CSP that is not necessarily watertight is OK for level 1, and achievable. |
|
Seems to be support for keeping as L1 |
CSP is not super easy to implement.
Do we definitely believe it should be Level 1? Current requirement:
14.4.3
The text was updated successfully, but these errors were encountered: