Brandon Sterne wrote on 4/7/2009 12:02 PM:
> I looked at each of the HTTP Header Field Definitions and my preference
> for communicating the CSP version is to add a product token [1] to the
> User-Agent [2] string. This would add only a few bytes to the U-A and
> it saves us the trouble of having to go through IETF processes of
> creating a new request header.
I agree that creating a request header for just the CSP version is overkill.
However, I am concerned that privacy add-ons, proxies, firewalls, etc may strip
or replace the User-Agent string.
I propose a new request header is created, but instead of one that is specific
to CSP, it is something more generic that can be used in the future by similar
policy frameworks.
For example:
Accept-Header: X-Content-Security-Policy version=2 securityLevel=2;
X-Application-Boundaries-Enforcer type=browser
FWIW, "X-Application-Boundaries-Enforcer" refers to ABE:
http://hackademix.net/2008/12/20/introducing-abe/
I originally came up with Accept-Header during a conversation about revising
the Cookie specification; it would alert the server that the client understood
"version 3" of cookies:
Accept-Header: Set-Cookie version=3
So it does have a variety of uses that may make it worth the effort to register
and define.
- Bil
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
