On Tue, Oct 20, 2009 at 1:20 PM, Sid Stamm <s...@mozilla.com> wrote: > While I agree with your points enumerated above, we should be really > careful about scope creep and stuffing new goals into an old idea. The > original point of CSP was not to provide a global security > infrastructure for web sites, but to provide content restrictions and > help stop XSS (mostly content restrictions). Rolling all sorts of extra > threats like history sniffing into CSP will make it huge and complex, > and for not what was initially desired. (A complex CSP isn't so bad if > it were modular, but I don't think 'wide-reaching' was the original aim > for CSP).
I think we're completely in agreement, except that I don't think making CSP modular is particularly hard. In fact, I think it makes the proposal much more approachable because vendors can implement just BaseModule (the CSP header syntax) and other modules they like such as XSSModule without feeling like they have to implement the ones they think aren't interesting. And they can experiment with their own modules without feeling like they're breaking the spec. One idea that might make a module CSP more approachable for vendors is to have a status page that shows the various modules, like this: https://wiki.mozilla.org/Security/CSP/Modules _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
