I'm not a fan of it but it's unavoidable for a security mechanism. We
already had bugs filed against CSP that would result in content
impacting behavioral changes. Not to mention that even module-centric
functionality would have to be revised to govern new APIs and new
types of attacks against existing APIs. Other option I guess is not
versioning and just breaking content periodically.
Lucas
On Oct 20, 2009, at 15:27, Adam Barth
wrote:
On Tue, Oct 20, 2009 at 3:21 PM, Lucas Adamski
wrote:
I've been a firm believer that CSP will evolve over time but that's
an
argument for versioning though, not modularity. We are as likely to
have to
modify existing behaviors as introduce whole new sets. It's also
not a
reason to split the existing functionality into modules.
I'm not sure versioning is the best approach for web technologies.
For example, versioning has been explicitly rejected for HTML,
ECMAScript, and cookies. In fact, I can't really think of a
successful web technology that uses versioning instead of
extensibility. Maybe SSL/TLS? Even there, the modern approach is to
advance the protocol with extensions (e.g., SNI).
Adam
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security