On a related note (to Ian's initial message), I'd like to ask again to see some real-world policy examples. I suggested CNN last time, but if something like Twitter would be an easier place to start, maybe we could see that one? Or see the example for mozilla.org, maybe? Or even just some toy problems to start, working up to real-world stuff later.
I'm asking for a reason: I think the process of trying to determine good policy for some real sites will give a lot of insight into where CSP may be too complex, or equally, where it's unable to be sufficiently precise. And it provides a bit of a usability test: remember that initially, many people wanting to use CSP will be applying it to existing sites as opposed to designing sites such that they work well with CSP. People will want examples eventually as part of the documentation for CSP because, as has been pointed out, they're more likely to cut and paste from these examples than to generate policy from scratch. So let's see what sort of examples people will be cutting and pasting from! Terri PS - Full Disclosure: I'm one of the authors of a much simpler system with similar goals, called SOMA: http://www.ccsl.carleton.ca/software/soma/ so obviously I'm a big believer in simpler policies. We presented SOMA last year at ACM CCS, so I promise this isn't just another system from some random internet denizen -- This is peer-reviewed work from professional security researchers. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
