Bil Corry wrote: > Is CSP suppose to be user-centric or site-centric? Using your definitions, it's site-centric.
> By site-centric, I mean is CSP going to be entirely drive by the > site, so the lack of a CSP header from the site means there is no CSP > protection in place? If so, then it is counter-intuitive that the > entire model is premised on the site implementing the CSP header, but > the site is blind to how many visitors use it and must not rely on > CSP to actually do anything. What I think will happen instead is > sites that implement it will have some expectation that it does > something (otherwise, why implement it?), Because it might save you when you screw up. That's the entire point of it. If you never screw up, you don't need to use it (and please come and work for me). If you do screw up, people using browser which support CSP will be saved (and will, perhaps, be able to warn you that you've screwed up) and people using other browsers won't be saved. Such is life. It was still worth implementing it, even if you didn't mean to screw up and even if some people still get attacked. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
