Bil Corry wrote: > Let's back up. The CSP method you support (correct me if I'm wrong) > is for the server to send a CSP header to all clients. And if the > client understands the header, it'll kick on some extra protections > not currently afforded to the site. And that's great for CSPv1. But > lets take it to the extreme, say there is now five different CSP > versions, and none of them are compatible with each other.
Stop right there. How does this potential future problem dissuade people from deploying CSP now (which is what you were worried about)? Anyway, CSP is designed to be forwardly-compatible in syntax. HTTP, a complex protocol, has had one backwardly-compatible revision in 10+ years. I suspect we won't have five, or even two versions of CSP. Particularly as it's currently an X- header for testing purposes, and will move to not being an X- header when it hits 1.0, which allows breaking changes at that point. > Beyond that, it has other benefits, perhaps the biggest one is being > able to measure how many clients are using CSP. How will you measure > the success of CSP if you have no way of knowing if 1% of browsers > are using it, or 99%? This is a feature. The only reason you'd want to do this is to see if you could rely on it. Anyway, you could get approximate stats by mapping from browser versions. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
