On Friday, May 16, 2014 12:09:28 AM UTC+8, Garrett Robinson wrote: > Brett, > > > > You can currently use CSP's connect-src directive to limit the domains to > which a web site may submit data (via XHR, EventSource, etc.) A couple of > things to note: > > > > 1. This protection must be opted into by the site (by setting the header). A > concerned user could use the UserCSP addon (does it still work) to limit a > site's behavior as well? > > 2. There is no user-facing UI for CSP for users (there are console messages > and violation reports for developers). CSP is intended to be transparent to > the user. > > > > We have vaguely discussed creating a centralized "site content permissions" > dialog, due to the proliferation of content policies (both in the browser and > from addons), but no one is working on that at the moment.
Two things: If you do make a site content permissions dialog, might I suggest also considering a page-specific one in addition to site-specific ones? In my AsYouWish add-on, due to the high level of privileges granted upon user permission, it could be dangerous for a user to have some 3rd party HTML installed on the same server if my add-on were granting permissions at the site level instead of at the page level as it does now. Second, thank you for the info on CSP. Are there any directives which prevent cache manifest updates? _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
