[whatwg] Clickjacking and CSRF

Aryeh Gregor Simetrical+w3c at gmail.com
Wed Jul 22 10:38:08 PDT 2009

On Wed, Jul 22, 2009 at 1:20 PM, Bil Corry<bil at corry.biz> wrote:
> If it's desirable to add a 'report only' feature to CSP, I'd prefer see a second CSP-related header (X-Content-Security-Policy-ReportOnly???) that implements it rather than adding it to the CSP header.  The presence of both headers (CSP and CSPReportOnly) would mean both would be acted upon.

I can't see how that makes a difference either way for any purpose,
really.  It just seems like it would make it slightly more annoying
for authors to deploy, and somewhat more confusing (since the presence
of one header would drastically change the semantics of another).

> There's already been some discussion that authors would iteratively relax CSP until their site worked.  I can see where an author enables ReportOnly, their site suddenly works and they mistakenly believe it's properly configured and actively protecting their site.

They might also make a typo in the policy file that causes Firefox to
ignore the whole thing, and mistakenly believe they're being
protected.  Or they might enable CSP, then allow inline script and
import from arbitrary foreign sites because that's what it took for
their ads and Analytics to start working again, and think they're

You can't really do much to stop people from having a sense of false
security if they neither understand nor test their security system.  I
don't think it's valuable to try.

More information about the whatwg mailing list