Talk:NoScript/Archives/2015
Appearance
This is an archive of past discussions about NoScript. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page. |
NoScript's Application Boundary Enforcer (ABE) vs Mozilla's Content Security Policy (CSP)
Can a knowledgeable person please discuss the similarities and differences between ABE and CSP? From what I can gather, they seem to have the same motivation and design goals. Is there a clear answer that one is stronger than the other? Are they compatible? Do they interfere with one another? Has either been widely deployed? — Preceding unsigned comment added by 128.112.139.195 (talk) 15:42, 21 February 2012 (UTC)
- Though I'm not an expert, guess Maone specializes on scripts, a most common way of hackers attacking a user [1], while the Mozilla team is better on writing, very well, rendering things.
- This is a question best raised on the NoScript support forums. However, I can comment on a few of the differences:
- CSP is server-side (has to be configured at each server, sends reports to the server), while ABE is client-side (configured in browser, logs results in error console).
- CSP just allows or blocks content, whereas ABE can take other actions like stripping authentication.
- CSP was primarily designed to stop cross-site scripting and other injections, while ABE was primarily designed to stop cross-site request forgery (but can defeat XSS/injections too).
- CSP allows wildcards, ABE allows either wildcards or regular expressions.
- CSP specifies only hostnames, ABE can specify full addresses including protocol and path.
- ABE knows about intranet vs internet addresses and can control traffic between them (in fact, it does this by default).
- CSP doesn't try to control requests originating from privileged code eg browser extensions. ABE can, although it is always possible for privileged code to defeat this, so it cannot be relied on to protect against malicious addons.
- ABE can distinguish between different types of object inclusions and different HTTP methods.
- They can work independently; if either blocks something, it will be blocked.
- I don't know of any metrics on how widely CSP is deployed, nor do I have any idea how many NoScript users take the time to configure ABE (which doesn't do very much out-of-the-box).
- Carl.antuar (talk) 00:10, 12 February 2014 (UTC)