Bil Corry wrote: > Giorgio Maone mentioned CSP on the OWASP Intrinsic Security list[1] > and I wanted to provide some feedback. > > (1) Something that appears to be missing from the spec is a way for > the browser to advertise to the server that it will support Content > Security Policy, possibly with the CSP version.
That's intentional. CSP is a backstop solution, not front-line security. If you are depending on the presence of CSP, as the lolcats say, U R Doin It Wrong. > (2) Currently the spec allows/denies based on the host name, it might > be worthwhile to allow limiting it to a specific path as well. For > example, say you use Google's custom search engine, one way to > implement it is to use a script that sits on www.google.com (e.g. > http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en). > By having an allowed path, you could prevent loading other scripts > from the www.google.com domain. For this and the next one, I'll wait for bsterne to reply, as he's doing the implementation and speccing work. > (3) Currently the spec focuses on the "host items" -- has any thought > be given to allowing CSP to extend to sites being referenced by "host > items"? That is, allowing a site to specify that it can't be embedded > on another site via frame or object, etc? I imagine it would be > similar to the Access Control for XS-XHR[2]. I would suspect that would be out of scope. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
