> > I find it rather surreal that we are arguing over whether to implement a > whitelist or a blacklist in CSP. I am strongly in the whitelist camp
I don't think that is what Adam is arguing about. Writing protocols for the web is fundamentally different from that for other systems. A fundamental constraint (amongst others) which you should support is (random term) 'anarchic' extensibility. 'Anarchic' in the sense that we don't know what/how the system is going to be extended and we probably wont have a say in it. Designing under such constraints, he proposes a policy mechanism which involves blacklisting only. Current-CSP on the other hand seems to have started from 'white listing is the most secure way' and then gone on to develop a mechanism for the web. Whitelisting might be the most secure way but that doesn't necessarily equate with good for the web. If you can come up with a mechanism that under these web constraints is still white list only, you are most welcome. Don't get me wrong , I do agree with your approach. But the argument isn't as simple as whitelisting vs. blacklisting -- if you phrase it that way no security researcher is going to say 'blacklisting'. Cheers Devdatta _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security