[Webkit-unassigned] [Bug 184031] CSP: Implement 'strict-dynamic' source expression
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 9 06:38:09 PST 2021
https://bugs.webkit.org/show_bug.cgi?id=184031
Dominic Couture <dcouture at gitlab.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dcouture at gitlab.com
--- Comment #6 from Dominic Couture <dcouture at gitlab.com> ---
Hello team, we're working on deploying an improved CSP over at GitLab and I wanted to add my voice to the great Comment 3 above by saying that 'strict-dynamic' is allowing us to deploy a simpler, more secure CSP for most of our users and unfortunately the lack of support in Safari leaves those users more exposed than others if an XSS is exploited.
'strict-dynamic' is especially interesting to us as GitLab allows hosting files in repositories by design so path allow-listing in CSP can be a bit complicated, especially on self-hosted installations that don't have the same level of subdomain isolation across their different resources. It also greatly reduces maintenance across environments running the same applications but that are pulling their external scripts from different domains, so the benefits are also on the productivity side and not only for security.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210309/fb16697f/attachment-0001.htm>
More information about the webkit-unassigned
mailing list