Gervase Markham wrote on 12/8/2008 12:32 PM: > Bil Corry wrote: >> No, so that in the event CSPv2 is incompatible with CSPv1, it won't >> require two response headers to be sent to every client. Instead, >> since the browser tells the server which version of CSP it's >> accepting, the server can send back the CSP header in the most recent >> format that both the client and server understand (e.g. server knows >> CSPv2, client knows CSPv3, server sends CSPv2 header). > > That makes no sense. You are saying that servers won't send any policy > at all, now, because in the future they might have to send two headers?
Let's back up. The CSP method you support (correct me if I'm wrong) is for the server to send a CSP header to all clients. And if the client understands the header, it'll kick on some extra protections not currently afforded to the site. And that's great for CSPv1. But lets take it to the extreme, say there is now five different CSP versions, and none of them are compatible with each other. The server then will have to issue five headers for all five CSP versions and hope the client supports one or more of them: X-Content-Security-Policy: ... X-Content-Security-Policy2: ... X-Content-Security-Policy3: ... X-Content-Security-Policy4: ... X-Content-Security-Policy5: ... I'm suggesting instead that the client announce the CSP version it supports; something like: Sec-Content-Security-Policy: v3 And the server can respond with just that CSP version: X-Content-Security-Policy: ... v3 format here ... So the main benefit is unambiguous communication, not saving bytes in a header. Beyond that, it has other benefits, perhaps the biggest one is being able to measure how many clients are using CSP. How will you measure the success of CSP if you have no way of knowing if 1% of browsers are using it, or 99%? And websites may not want to implement it if they can't see the number of clients affected; if there is only 1% of their visitors using it, maybe they don't want to spend the effort to devise and keep a CSP header up-to-date. But if 99% of their visitors use it, it now becomes more worthwhile. And there's also debugging -- when some site visitors are having trouble using the site, but others are not, how can the website debug the problem when it's a misconfigured CSP? Will the browser pop up an alert each time there's a CSP violation? If not, and without a client sending a CSP header, it'll be hard to debug. - Bil _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security