Sid Stamm wrote on 1/12/2009 3:19 PM:
> It seems to me that unless client browsers *never* send CSP-related
> data to the server then the server can ultimately determine which
> clients are using CSP.
I agree, without the client advertising CSP-support, sites will test for CSP
just as they test for JavaScript, cookies, etc. You could probably test for
CSP by using policy-uri, if the browser requests it from your server, then it
supports CSP. To prevent an attacker from causing a browser to load it ala
CSRF, you could even add a nonce to the request:
X-Content-Security-Policy: policy-uri /policy.csp?nonce=ABC123
- Bil
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
