[Animats]

If browsers were serious about cross-site content issues, Google Ads wouldn't work. Google insists in their policies that their ads must not be placed in IFRAME blocks,[1] where they can't see the page context. Yet, for security, you want any outside content that executes code sandboxed in an IFRAME.

[1] https://support.google.com/adsense/answer/3394713?hl=en

[dismantlethesun]

At some point you have to leverage 3rd parties in order to get your business to function. To me, letting an ad company run javascript on your page is something akin to letting hired contractors in the real world stroll through your office unwatched. Yes its' a security concern, but it's also necessary to operate a business.

In reality, we don't have a lot of truly secure facilities, but instead rely on legal process to stop bad actors, and make people whole after the fact.

On the web, there's always been a push for total security, which I don't think is useful nor particularly realistically implementable.

[Ntrails]

> is something akin to letting hired contractors in the real world stroll through your office unwatched. Yes its' a security concern, but it's also necessary to operate a business.

Nope, it's entirely possible to have the accompanied by a member of physical security the whole time. The question is always how valuable your security is vs the cost of maintaining it.

[gavinpc]

100% agree. If Google is serious about CSP, show me where they document the CSP that doesn't break AdSense or Analytics. It's a moving target, AFAICT, and the reason why I don't use CTP in production (at work).

[arturjanc]

Essentially, here: https://csp-experiments.appspot.com/strict-dynamic

The idea behind CSP based on nonces (as opposed to the "old" approach of using whitelists) is that you add the valid nonce token only to the script directly sourced from your page, and trust propagates to other scripts loaded dynamically by the "loader" script. This way you no longer have to care about what domains the widget uses -- if you trust the initial script, give it a nonce and it will execute, along with the subresources it needs.

Of course you can still have a domain whitelist or use Subresource Integrity if you're loading scripts from potentially untrusted infrastructure. But the nonce-based approach is meant precisely to avoid the "moving target" problem you mentioned.

[Animats]

That's a very Google idea, and it's a bad one. Malware distributed through Google's ad system has been an ongoing problem.[1][2] Letting Google's advertiser customers inherit Google's trust is a terrible idea.

Google needs to put all their ads in IFRAME sandboxes. Tightening up on what an IFRAME can do wouldn't be a bad idea, either. No popups, no self-starting video, no absolute positioning outside the clipping pane, no expanding the frame size...

[1] http://www.theverge.com/2014/9/19/6537511/google-ad-network-... [2] http://www.businessinsider.com/android-malware-spreads-using...

[bluecmd]

Wouldn't the nounce approach described in the article work for this?