This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:Content Security Policy

From OWASP
Revision as of 09:44, 30 April 2013 by Dimisec (talk | contribs) (discussion of the CSP page)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

I don't think this belongs correctly to the OWASP Java Project since CSP deals with browser security and server-client protocol (HTTP headers), independently of the specific server implementation. You can send the CSP headers from any possible HTTP server - Java, ASP, PHP/Apache, NodeJS etc. Personally, I find that the lengthy Java implementation example may distract from the main issues and the choices / tradeoffs that people thinking about implementing the CSP in their sites would have to make. Also, regarding the following:

> Inline script will be allowed because inline scripting it's commonly used (can be disabled if target site do not use this type of scripting)

I think this does not make it clear that unsafe-inline removes a lot of anti-XSS protection and therefore most of the benefits of using the CSP.

Retrieved from "https://wiki.owasp.org/index.php?title=Talk:Content_Security_Policy&oldid=150705"