Gervase Markham wrote on 12/8/2008 12:32 PM:
> Bil Corry wrote:
>> No, so that in the event CSPv2 is incompatible with CSPv1, it won't
>> require two response headers to be sent to every client. Instead,
>> since the browser tells the server which version of CSP it's
>> accepting, the server can send back the CSP header in the most recent
>> format that both the client and server understand (e.g. server knows
>> CSPv2, client knows CSPv3, server sends CSPv2 header).
>
> That makes no sense. You are saying that servers won't send any policy
> at all, now, because in the future they might have to send two headers?
Let's back up. The CSP method you support (correct me if I'm wrong) is for the
server to send a CSP header to all clients. And if the client understands the
header, it'll kick on some extra protections not currently afforded to the
site. And that's great for CSPv1. But lets take it to the extreme, say there
is now five different CSP versions, and none of them are compatible with each
other. The server then will have to issue five headers for all five CSP
versions and hope the client supports one or more of them:
X-Content-Security-Policy: ...
X-Content-Security-Policy2: ...
X-Content-Security-Policy3: ...
X-Content-Security-Policy4: ...
X-Content-Security-Policy5: ...
I'm suggesting instead that the client announce the CSP version it supports;
something like:
Sec-Content-Security-Policy: v3
And the server can respond with just that CSP version:
X-Content-Security-Policy: ... v3 format here ...
So the main benefit is unambiguous communication, not saving bytes in a header.
Beyond that, it has other benefits, perhaps the biggest one is being able to
measure how many clients are using CSP. How will you measure the success of
CSP if you have no way of knowing if 1% of browsers are using it, or 99%? And
websites may not want to implement it if they can't see the number of clients
affected; if there is only 1% of their visitors using it, maybe they don't want
to spend the effort to devise and keep a CSP header up-to-date. But if 99% of
their visitors use it, it now becomes more worthwhile.
And there's also debugging -- when some site visitors are having trouble using
the site, but others are not, how can the website debug the problem when it's a
misconfigured CSP? Will the browser pop up an alert each time there's a CSP
violation? If not, and without a client sending a CSP header, it'll be hard to
debug.
- Bil
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
