Sid Stamm wrote on 1/12/2009 3:19 PM:
> It seems to me that unless client browsers *never* send CSP-related
> data to the server then the server can ultimately determine which
> clients are using CSP.
I agree, without the client advertising CSP-support, sites will test for CSP
just as they test
On Jan 12, 2:23 pm, Bil Corry wrote:
> It already has this feature, see #6:
Ah, sorry for my blindness Bil. It has been a while since I read
that, and simply spaced on that feature.
Gerv: what are your thoughts on (mis)use of the Report-URI to
determine which browsers support CSP? For example,
Sid Stamm wrote on 1/12/2009 12:52 PM:
> Or do we want phone-home features for CSP so the browser will
> automatically tell a site when its policy is violated?
It already has this feature, see #6:
http://people.mozilla.org/~bsterne/content-security-policy/details.html
- Bil
__
On Jan 12, 5:53 am, Gervase Markham wrote:
> not all end-users have to use it for it to be helpful in the case of a
> particular site which is using it. I say this because once the site
> owner is warned of the problem, he can fix it. If no-one has CSP, it may
> take much longer for people to noti
Gervase Markham wrote:
Sid Stamm wrote:
What worries me is that with no assurance that they're enforced, CSP
policies won't be provided by web sites since it takes time (granted,
not much of it) to compose them. It's likely that a profit-driven
company might rather have their engineers spend ti
Sid Stamm wrote:
> Gervase Markham wrote:
>> Security is a multi-faceted beast.
> Point taken, and I agree, it was a crappy analogy.
>
>> Again, CSP is here being used as a front line of
>> defence, and it shouldn't be.
> I agree with you... optimally, CSP should not be front-line defense.
> But
