On 4/15/09 1:32 AM, Gervase Markham wrote: > Why does the CSP technology get to advertise and version itself in this > way when no other technology the browser supports does? If we allow CSP > to send version information in every HTTP request, what other > technologies are going to want it? "I support <video>". "I support > HTML5". Etc. I think the slippery slope argument has validity here.
The support of <video> or HTML5 by a client does not have the same security implications as the support of CSP. If a client does not support <video> and a site serves it to them, there is no risk to the client, which can passively ignore the <video> content. If a client does not support CSP and a site serves them untrusted content, there is a higher XSS risk to that client than to one which does support CSP. > Why not start versioning when we reach version 2 (i.e. there are two > versions to distinguish), if that ever happens? Another benefit of the version string that we've discussed is the ability for a client to signal that CSP is disabled presently (by removing the string). In those cases, a site may want to restrict which content is served to that client. -Brandon _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
