[dojo-contributors] heya-ctr performance

Eugene Lazutkin eugene at lazutkin.com
Mon May 6 18:37:23 EDT 2013


Again, I may be wrong, but turning on CSP requires an active support
from a server that serves a web application. Specifically it should send
special headers for that, or include equivalent meta tags. More than
that it is not "all or nothing" deal --- a server owner can whitelist
trusted (e.g., their own) scripts.

Obviously CSP is much more than prohibiting function constructors and
evals --- any kind of inlined code in HTML, is a no-no, iframes,
objects, media, even images can be prohibited, or restricted, and so on.

Speaking of RequireJS' possible invulnerability to CSP --- it is not
strictly true, because CSP can prohibit loading scripts using URL
patterns, and even govern a creation of script tags.

All in all I don't see a web-based CSP implementations as a problem for
loaders, and libraries using code generative techniques at all. It is a
valid technique that is designed to guard a web application from
3rd-party scripts (e.g., ad servers). If somebody wants to use
Heya/Pulsar/Dojo to write a malware, and cannot do that because smart
people use CSP to guard their web application --- I am all for that. :-)

Embedded devices, and appliances (TVs, DVD players, receivers, and other
electronics) represent a bigger problem, yet increasingly it is solved
by signing code, and closely guarded application stores, then by
programmatic restrictions.

Cheers,

Eugene


On 05/06/2013 04:37 PM, James Burke wrote:
> On Mon, May 6, 2013 at 2:20 PM, Eugene Lazutkin <eugene at lazutkin.com> wrote:
>> How big is CSP market, and do we really want to target it specifically?
>> This is a separate non-technical question in the same vein as "do we
>> support IE6, IE7, IE8" --- arguably the latter have more market than the
>> CSP-based solutions in terms of available money, yet as far as I can
>> tell most Dojo committers think that it should not be suported.
> 
> I think the difference between CSP and old IE is that CSP is likely to
> get more usage than them over time, particularly since it allows web
> sites the ability to avoid large blocks of security issues. It is a
> future looking feature vs a legacy concern.
> 
> I will not post any more on this, as it is probably a side point to
> the thread, just some links for more background:
> 
> caniuse:
> http://caniuse.com/#feat=contentsecuritypolicy
> 
> GitHub's post about enabling it:
> https://github.com/blog/1477-content-security-policy
> 
> Info docs:
> https://developer.mozilla.org/en-US/docs/Security/CSP
> 
> James
> 

-- 
Eugene Lazutkin
http://lazutkin.com/


More information about the dojo-contributors mailing list