It is site-centric. Someone might write an add-in to monitor or
modify content policies but that's not a core use case.
Lucas.
On Dec 18, 2008, at 7:30 AM, Bil Corry wrote:
Gervase Markham wrote on 12/17/2008 2:23 PM:
Lucas Adamski wrote:
From this discussion I'm still seeing good reasons to have a version
flag; mainly to allow servers to detect whether a given client
supports
CSP (and what version of it) in an unequivocal manner.
How do you react to my point that they shouldn't need to know that
because, if they do, it means they are relying on CSP, which they
shouldn't be?
Is CSP suppose to be user-centric or site-centric?
By user-centric, I mean is CSP going to be similar to NoScript and
AdBlockPlus where it's up to the user to configure its use and
behavior, with the site being able to helpfully suggest the
appropriate rules for itself? If so, then I agree, sites should not
rely on CSP because who knows how the user has configured CSP to
behave.
By site-centric, I mean is CSP going to be entirely drive by the
site, so the lack of a CSP header from the site means there is no
CSP protection in place? If so, then it is counter-intuitive that
the entire model is premised on the site implementing the CSP
header, but the site is blind to how many visitors use it and must
not rely on CSP to actually do anything. What I think will happen
instead is sites that implement it will have some expectation that
it does something (otherwise, why implement it?), and they will test
to see which browsers are supporting it. And if there is more than
one version of CSP, they'll create multiple tests.
- Bil
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
