Re: Content Security Policy feedback
Bil Corry wrote: Giorgio Maone mentioned CSP on the OWASP Intrinsic Security list[1] and I wanted to provide some feedback. (1) Something that appears to be missing from the spec is a way for the browser to advertise to the server that it will support Content Security Policy, possibly with the CSP version. That's intentional. CSP is a backstop solution, not front-line security. If you are depending on the presence of CSP, as the lolcats say, U R Doin It Wrong. (2) Currently the spec allows/denies based on the host name, it might be worthwhile to allow limiting it to a specific path as well. For example, say you use Google's custom search engine, one way to implement it is to use a script that sits on www.google.com (e.g. http://www.google.com/coop/cse/brand?form=cse-search-boxamp;lang=en). By having an allowed path, you could prevent loading other scripts from the www.google.com domain. For this and the next one, I'll wait for bsterne to reply, as he's doing the implementation and speccing work. (3) Currently the spec focuses on the host items -- has any thought be given to allowing CSP to extend to sites being referenced by host items? That is, allowing a site to specify that it can't be embedded on another site via frame or object, etc? I imagine it would be similar to the Access Control for XS-XHR[2]. I would suspect that would be out of scope. Gerv ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: UniversalBrowserRead CAPS in V2.0.0.18 and 3.0.4
On Nov 19, 2:35 pm, Boris Zbarsky [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: I have been using user_prefs to disable the same origin sandbox during development. FF V2.0.0.18 and 3.0.4 have broken those settings Which exact aspect of same-origin were you trying to disable? Does anyone know if there are additional settings that are now required Required to do what, exactly? -Boris I attached the lines in my user.js file to show I was setting UniversalBrowserRead and UniversalBrowserWrite. (P.S. You previously indicated the user_prefs looked OK - at least for previous versions.) It looks like something changed in the new versions. Jim ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: UniversalBrowserRead CAPS in V2.0.0.18 and 3.0.4
[EMAIL PROTECTED] wrote: On Nov 19, 2:35 pm, Boris Zbarsky [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: I have been using user_prefs to disable the same origin sandbox during development. FF V2.0.0.18 and 3.0.4 have broken those settings Which exact aspect of same-origin were you trying to disable? Does anyone know if there are additional settings that are now required Required to do what, exactly? -Boris I attached the lines in my user.js file to show I was setting UniversalBrowserRead and UniversalBrowserWrite. Yes. That doesn't answer my question. You want the expanded privileges because you're trying to do something that's normally prohibited. What is this something? (P.S. You previously indicated the user_prefs looked OK - at least for previous versions.) It's OK in general. That code hasn't changed. What might have changed is whether UniversalBrowserRead and UniversalBrowserWrite are sufficient for what you want to do. -Boris ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: UniversalBrowserRead CAPS in V2.0.0.18 and 3.0.4
On Nov 20, 4:39 pm, Boris Zbarsky [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: On Nov 19, 2:35 pm, Boris Zbarsky [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: I have been using user_prefs to disable the same origin sandbox during development. FF V2.0.0.18 and 3.0.4 have broken those settings Which exact aspect of same-origin were you trying to disable? Does anyone know if there are additional settings that are now required Required to do what, exactly? -Boris I attached the lines in my user.js file to show I was setting UniversalBrowserRead and UniversalBrowserWrite. Yes. That doesn't answer my question. You want the expanded privileges because you're trying to do something that's normally prohibited. What is this something? (P.S. You previously indicated the user_prefs looked OK - at least for previous versions.) It's OK in general. That code hasn't changed. What might have changed is whether UniversalBrowserRead and UniversalBrowserWrite are sufficient for what you want to do. -Boris These have been sufficient in the past to allow cross-domain reads during development prior to plugin development. UniversalBrowserWrite was actually only a convenience for processing some style information and is actually not critical. ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: UniversalBrowserRead CAPS in V2.0.0.18 and 3.0.4
[EMAIL PROTECTED] wrote: These have been sufficient in the past to allow cross-domain reads during development prior to plugin development. UniversalBrowserWrite was actually only a convenience for processing some style information and is actually not critical. Sure. I'm just saying that depending on exactly how you're doing your cross-domain reads they might no longer be sufficient. It's really hard to say anything else given the information you're willing to provide. -Boris ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security