pceelen wrote: > To prevent this we should have some requirements about the static > nature of the js files. One mechanism that might implement this is > adding requirements for static js files by requiring code-signed > javascript files (is this possible at the moment? > http://www.mozilla.org/projects/security/components/signed-scripts.html > describes signed scripts, however it requires the creation of a > *.jar). In such a situation code signed javascript should be signed by > an offline key.
There is no cross-browser support for signed javascript. With the current CSP the site will work perfectly well in browsers that don't support CSP. CSP is already asking site authors to do a lot of work, but since it works in all browsers sites can transition slowly (such as writing new content to that standard, leaving old content alone). If CSP requires separate content for CSP-supporting browsers it will never fly. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security