On 08/04/09 21:49, Brandon Sterne wrote:
Defining a new header seems like a non-starter to me. We are going to be hard-pressed to get one new header standardized, so throwing one away seems very wasteful.
As I said, I think the possibility of needing a breaking change in syntax is tiny.
If sites are relying on CSP for XSS protection, then perhaps they would want to serve only "trusted content" to non-CSP users.
If you have a mechanism for making content "trusted", why not use it all the time? You don't turn off your HTML sanitizer for CSP-supporting browsers.
In reality, as CSP becomes more mature and well-understood, sites will rely on it for XSS mitigation. It's inevitable that if we put a reliable product out there sites will rely upon it.
But by design, it can't be entirely reliable, because it can't read the developer's mind. Or have you got the ESP module working properly now? :-)
But our header is only sent as a response header, so would not be useful for sending version info with client requests.
Yeah, duh. Not sure what I was thinking there. Sorry.
We're somewhat averse to adding a request header that would only carry the version info, so that's why we're looking for an existing request header that can carry this info.
I really don't think UA is the right choice. Microsoft are bloating UAs with .NET versions, and that's making people unhappy.
Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
