Gervase Markham wrote: > > If a server is to rely on CSP to reliably enforce security constraints > If it's doing that, it's broken. CSP is explicitly not designed for > this. (As I understand it.)
Maybe it's not completely bad for browsers to advertise whether or not they support CSP (and which versions). There's a benefit for web developers who can decide to serve more restricted/filtered content to browsers that won't "catch them when they fall". This benefit is not there if the browser's don't advertise what they will enforce. For example, consider a webmaster who is just learning some new technology X may not be comfortable enough to serve X content without a safety net that CSP provides, but is being pressured to add features to his site. If a client doesn't support CSP, his server can simply not serve any script content that he isn't sure about, but when CSP is present and can be enforced, he has that to fall back on and can serve experimental stuff. While in an ideal world, all developers should understand how all the code their site serves will behave in every situation, but I doubt this is the case in reality, especially for smaller, feature-driven sites. I can see both sides of this issue, though. It is not healthy to rely on CSP for a primary layer of security, especially since it will take some time for CSP to be adopted widely (and we *really* don't want to encourage sloppy design). -Sid _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security