Moving discussion to mozilla.dev.tech.crypto, but do go ahead and file
bugs. I doubt 3.5 behaves any differently than 3.0 (you did mean 3.0.10,
right? If you're using Firefox 2 please stop).
nk wrote:
> Hi all,
> I am researching the window.crypto.generatedCRMFRequest() function
> available on Fir
Jean-Marc Desperrier wrote:
> In fact a solution could be that everytime the browser reject
> downloading a ressource due to CSP rules, it spits out a warning on the
> javascript console together with the minimal CSP authorization that
> would be required to obtain that ressource.
> This could help
On 7/16/09 8:17 PM, Ian Hickson wrote:
> On Thu, 16 Jul 2009, Daniel Veditz wrote:
>> Ian Hickson wrote:
>>> * The more complicated something is, the more mistakes people will
>>> make.
>> We encourage people to use the simplest policy possible. The additional
>> options are there for the edge ca
Jean-Marc Desperrier wrote on 7/17/2009 11:18 AM:
> Bil Corry wrote:
>> CSP is non-trivial; it takes a bit of work to configure it properly
>> and requires on-going maintenance as the site evolves. It's not
>> targeted to the uninformed author, it simply isn't possible to
>> achieve that kind of
Hi all,
I am researching the window.crypto.generatedCRMFRequest() function
available on FireFox (I am using FF 2.0.10).
Now, if requested keys are for signing - everything looks good.
But if requested keys are for key exchange (e.g. "rsa-ex"), the
generated CRMF request structure has a number of is
Ian Hickson wrote:
> This isn't intended to be a "gotcha" question. My point is just that CSP
> is too complicated, too powerful, to be understood by many authors on the
> Web, and that because this is a security technology, this will directly
> lead to security bugs on sites (and worse, on site
On 7/17/09 8:40 AM, Bil Corry wrote:
An external validation tool could help authors understand
> what their CSP rules are actually allowing/preventing (maybe
> something similar to validator.w3.org). To compliment it,
> another handy tool would be a browser plug-in that could help
> create CSP
Bil Corry wrote:
CSP is non-trivial; it takes a bit of work to configure it properly
and requires on-going maintenance as the site evolves. It's not
targeted to the uninformed author, it simply isn't possible to
achieve that kind of coverage -- I suspect in the pool of all
authors, the majority
Jean-Marc Desperrier wrote on 7/17/2009 2:26 AM:
> Daniel Veditz wrote:
>> CSP is designed so that mistakes of omission tend to break the site
>> break. This won't introduce subtle bugs, rudimentary content testing
>> will quickly reveal problems.
>
> But won't authors fail to understand how to s
Daniel Veditz wrote:
CSP is designed so that mistakes of omission tend to break the site
break. This won't introduce subtle bugs, rudimentary content testing
will quickly reveal problems.
But won't authors fail to understand how to solve the problem, and open
everything wide ? From experience,
Daniel Veditz wrote:
CSP is designed so that mistakes of omission tend to break the site
break. This won't introduce subtle bugs, rudimentary content testing
will quickly reveal problems.
But won't authors fail to understand how to solve the problem, and open
everything wide ? From experience,
Daniel Veditz wrote:
CSP is designed so that mistakes of omission tend to break the site
break. This won't introduce subtle bugs, rudimentary content testing
will quickly reveal problems.
But won't authors fail to understand how to solve the problem, and open
everything wide ? From experience,
12 matches
Mail list logo
