It seems to me that version-compatibility announcement is helpful unless CSP is intended to be a short-lived or rarely-used security construct (which I gather is not the point). It is very likely that CSP's governing scope will change in the future, or an additional policy may be created to govern other pieces. It is fairly likely that different, incompatible policy-version support may need to be treated differently by the web server.
In fact, supported version announcement is probably necessary, not just useful, if implementations of CSP are initially rolled out in browser add-ons; suddenly there's the possibility of multiple browser/ add-on version combinations, especially when people delay updating browsers or updating plugins when prompted (old-browser + new-addon, new-browser + old-addon, etc). In these scenarios user-agent profiling just won't work reliably. Also, it's not clear we should burden the web site developers to stay up-to-date on which browsers support which policies; it might be difficult to track which agents support which engines, especially for unknown or niche browsers. Instead, it might be ideal to explicitly tell the server what is supported so regardless of the user-agent, the server can be fairly confident it serves an appropriate policy. A reasonable approach to specify the CSP version might be seen in the Accept-Charset header, or really any of the Accept-* request headers. It need not be present, but if it is, such an Accept-Security-Policy request header can contain which versions the user agent supports (e.g., CSP-1.0), and can be comma-separated in case multiple versions or multiple policies are supported. Another option would be to shove the supported CSP versions into the user agent string, but that's a nasty abuse of the User-Agent header (though arguably the security policy enforcement is part of the "platform" on which web apps will run). -Sid _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
