CSP Jakub T. Jankiewicz (06 Aug 2022 13:55 UTC)
Re: CSP Arthur A. Gleckler (08 Aug 2022 18:28 UTC)
Re: CSP Jakub T. Jankiewicz (08 Aug 2022 20:00 UTC)
Re: CSP Arthur A. Gleckler (08 Aug 2022 20:14 UTC)
Re: CSP Vasilij Schneidermann (08 Aug 2022 20:47 UTC)
Re: CSP Arthur A. Gleckler (03 Oct 2022 21:14 UTC)
Re: CSP Jakub T. Jankiewicz (19 Jan 2023 14:04 UTC)
Re: CSP Magnus Ahltorp (19 Jan 2023 19:50 UTC)
Re: CSP Jakub T. Jankiewicz (19 Jan 2023 20:10 UTC)

Re: CSP Magnus Ahltorp 19 Jan 2023 19:50 UTC

> 19 jan. 2023 15:04 Jakub T. Jankiewicz <xxxxxx@onet.pl> wrote:
>
> Just adding one note, because I was testing new version of my Scheme REPL
> bookmark. Google, YouTube and Wikipedia allow to run my bookmark without any
> issues. But it doesn't work on scheme.org or github.com. From my understanding
> such strict CSP is added only when people don't understand how this system
> works and just disable everything they can even when don't needed to. Or when
> thet are afraid for no reason or don't trust they code. And what they do is
> that they restrict what tools can do (bookmarks).

I don't want to imply that Arthur and Lassi don't understand "how this system works", but if they don't, then the correct thing would be to disable as much as possible, right? Also, if they are not confident that the other measures are enough, then disabling everything also seems like a good idea.

And I definitely don't understand why a bookmarklet wouldn't work in this case, that's user configuration, not cross site functionality.

> YouTube and Wikipedia are good examples they don't need such strict CSP even
> that they accept user input. Wikipedia (Media Wiki) even allows limited amount
> of HTML in articles and it's fine, no one hacked Wikipedia.

Youtube and Wikipedia also have an untold number of people working on security, paid or not paid.

/Magnus