On 10/21/09 2:49 AM, Gervase Markham wrote: > I think we need to differentiate between added complexity in syntax and > added complexity in implementation. > > If we design the syntax right, there is no need for additional CSP > directives to make the syntax more complicated for those who neither > wish to know nor care about them.
Additional Directives are not a problem either, unless they're mandatory for all policies (which is not the case ... yet). I'm still more in favor of extension via new directives than extension by modifying existing ones: this seems more obviously backward compatible and in reality probably more forward compatible too. > If we modularise CSP correctly, there is no necessity that additional > ideas lead to greater implementation complexity for those browsers who > don't want to adopt those ideas (yet). Agreed. I'm not against modularization at all, I just want to be careful so that it is specked out that way -- we just need to keep this in mind. > I think it would be good if we didn't have to invent a new header for > each idea of ways to lock down content. I think it would be great if > people could experiment with Content-Security-Policy: x-my-cool-idea, > and see if it was useful before standardization. Any idea which is a > policy for content security should be in scope for experimentation. Right. This was proposed a while back (I don't recall the thread off hand) as one header to convey all relevant security policies. Something like Accept-Policies I think. If we want to turn CSP into that, we could, but it surely wasn't designed from the ground up with that in mind. > I agree with your concerns about scope creep, but I don't think making > sure the syntax is forwards-compatible requires a fundamental redesign. > And I don't think allowing the possibility of other things means we are > on the hook to implement them, either for Firefox 3.6 or for any other > release. Point taken. I'm on board for modularization so long as we don't have to completely redesign the policy syntax. I'm also a bit worried that we might lose sight of the original goals of CSP and so I wanted to bring up the fact that we have wandered far far away from where CSP started. If everyone is okay with the diversion, I see no cause for concern. > We may wish to say "OK, CSP 1.0 is these 3 modules", so that a browser > could say "I support CSP 1.0" without having to be more specific and > detailed. But given that CSP support is unlikely to be a major marketing > sell, I don't think that's a big factor. What? No "CSP 1.0 Compatible!" stickers for my laptop? Or "CSP inside"? :) -Sid _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
