Sid Stamm wrote: > Gervase Markham wrote: >>> If a server is to rely on CSP to reliably enforce security constraints >> If it's doing that, it's broken. CSP is explicitly not designed for >> this. (As I understand it.) > > Maybe it's not completely bad for browsers to advertise whether or not > they support CSP (and which versions). There's a benefit for web > developers who can decide to serve more restricted/filtered content to > browsers that won't "catch them when they fall".
If there's additional filtering they know how to do, they should be doing it for everyone. > example, consider a webmaster who is just learning some new technology > X may not be comfortable enough to serve X content without a safety > net that CSP provides, but is being pressured to add features to his > site. Then he shouldn't use X. (Who designed X to be unsafe by default? Go shoot them. :-) Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security