Bil Corry wrote on 12/18/2008 9:30 AM: > By user-centric, I mean is CSP going to be similar to NoScript and > AdBlockPlus where it's up to the user to configure its use and > behavior, with the site being able to helpfully suggest the > appropriate rules for itself? If so, then I agree, sites should not > rely on CSP because who knows how the user has configured CSP to > behave.
Here's a good example of "user-centric", Giorgio Maone's ABE: http://hackademix.net/2008/12/20/introducing-abe/ The details of it are here: http://hackademix.net/wp-content/uploads/2008/12/abe_rules_03.pdf So while ABE doesn't send a request header advertising itself, due to the user-centric nature of the protection, it doesn't seem necessary to me. I do admit there's a fine line here that's entirely based on how CSP and ABE have been framed for use. - Bil _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security