On 20/10/09 21:20, Sid Stamm wrote:
While I agree with your points enumerated above, we should be really careful about scope creep and stuffing new goals into an old idea. The original point of CSP was not to provide a global security infrastructure for web sites, but to provide content restrictions and help stop XSS (mostly content restrictions). Rolling all sorts of extra threats like history sniffing into CSP will make it huge and complex, and for not what was initially desired. (A complex CSP isn't so bad if it were modular, but I don't think 'wide-reaching' was the original aim for CSP).
I think we need to differentiate between added complexity in syntax and added complexity in implementation.
If we design the syntax right, there is no need for additional CSP directives to make the syntax more complicated for those who neither wish to know nor care about them.
If we modularise CSP correctly, there is no necessity that additional ideas lead to greater implementation complexity for those browsers who don't want to adopt those ideas (yet).
I think it would be good if we didn't have to invent a new header for each idea of ways to lock down content. I think it would be great if people could experiment with Content-Security-Policy: x-my-cool-idea, and see if it was useful before standardization. Any idea which is a policy for content security should be in scope for experimentation.
I agree with your concerns about scope creep, but I don't think making sure the syntax is forwards-compatible requires a fundamental redesign. And I don't think allowing the possibility of other things means we are on the hook to implement them, either for Firefox 3.6 or for any other release.
We may wish to say "OK, CSP 1.0 is these 3 modules", so that a browser could say "I support CSP 1.0" without having to be more specific and detailed. But given that CSP support is unlikely to be a major marketing sell, I don't think that's a big factor.
Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
