Bil Corry wrote on 12/18/2008 9:30 AM:
> By user-centric, I mean is CSP going to be similar to NoScript and
> AdBlockPlus where it's up to the user to configure its use and
> behavior, with the site being able to helpfully suggest the
> appropriate rules for itself? If so, then I agree, sites should not
> rely on CSP because who knows how the user has configured CSP to
> behave.
Here's a good example of "user-centric", Giorgio Maone's ABE:
http://hackademix.net/2008/12/20/introducing-abe/
The details of it are here:
http://hackademix.net/wp-content/uploads/2008/12/abe_rules_03.pdf
So while ABE doesn't send a request header advertising itself, due to the
user-centric nature of the protection, it doesn't seem necessary to me. I do
admit there's a fine line here that's entirely based on how CSP and ABE have
been framed for use.
- Bil
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
