On 10/20/09 12:58 PM, Adam Barth wrote: > I think one of the goals of CSP is to avoid having one-off HTTP > headers for each threat we'd like to mitigate. Combining different > directives into a single policy mechanism has advantages: > > 1) It's easier for web site operators to manage one policy. > 2) The directives can share common infrastructure, like the reporting > facilities.
While I agree with your points enumerated above, we should be really careful about scope creep and stuffing new goals into an old idea. The original point of CSP was not to provide a global security infrastructure for web sites, but to provide content restrictions and help stop XSS (mostly content restrictions). Rolling all sorts of extra threats like history sniffing into CSP will make it huge and complex, and for not what was initially desired. (A complex CSP isn't so bad if it were modular, but I don't think 'wide-reaching' was the original aim for CSP). Brandon, Gerv, step in and correct me if I'm wrong -- you were working on this long before me -- but I want to be really careful if we're going to start changing the goals of this project. If we want to come up with something extensible and wide-reaching, we should probably step back and seriously overhaul the design. -Sid _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
