On 8/10/09 10:27 AM, TO wrote: > I'd like to ask again to > see some real-world policy examples. I suggested CNN last time, but > if something like Twitter would be an easier place to start, maybe we > could see that one? Or see the example for mozilla.org, maybe? Or > even just some toy problems to start, working up to real-world stuff > later.
Working examples will be forthcoming as soon as we have Firefox builds available which contain CSP. Absent the working builds, do you think it's valuable for people to compare page source for an existing popular site and a CSP-converted version? > I'm asking for a reason: I think the process of trying to determine > good policy for some real sites will give a lot of insight into where > CSP may be too complex, or equally, where it's unable to be > sufficiently precise. And it provides a bit of a usability test: > remember that initially, many people wanting to use CSP will be > applying it to existing sites as opposed to designing sites such that > they work well with CSP. > > People will want examples eventually as part of the documentation for > CSP because, as has been pointed out, they're more likely to cut and > paste from these examples than to generate policy from scratch. So > let's see what sort of examples people will be cutting and pasting > from! > > Terri > > PS - Full Disclosure: I'm one of the authors of a much simpler system > with similar goals, called SOMA: http://www.ccsl.carleton.ca/software/soma/ > so obviously I'm a big believer in simpler policies. We presented > SOMA last year at ACM CCS, so I promise this isn't just another system > from some random internet denizen -- This is peer-reviewed work from > professional security researchers. I read through your ACM CCS slides and the project whitepaper and SOMA doesn't appear to address the XSS vector of inline scripts in any way. Have I overlooked some major aspect of SOMA, or does the model only provide controls for remotely-included content? -Brandon _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
