On Mon, Oct 26, 2009 at 6:11 PM, Daniel Veditz dved...@mozilla.com wrote:
They have already opted in by adding the CSP header. Once they've
opted-in to our web-as-we-wish-it-were they have to opt-out of the
restrictions that are too onerous for their site.
I understand the seductive power of
Hi
There are two threads running in parallel here:
1) Should blocking XSS be default behaviour of adding a
X-Content-Security-Policy? (instead of the straw man proposal where a
additional 'block-xss' would be required )
2) Should the result of blocking XSS also cause eval and inline
scripts to
On 10/27/09 2:33 AM, Adam Barth wrote:
I understand the seductive power of secure-by-default here.
If only she loved me back.
This statement basically forecloses further discussion because it does
not advance a technical argument that I can respond to. In this
forum, you are the king and I
On Tue, Oct 27, 2009 at 12:39 PM, Daniel Veditz dved...@mozilla.com wrote:
I don't think we're having a technical argument, and we're not getting
the feedback we need to break the impasse in this limited forum.
I agree that we're not making progress in this discussion.
At a high level, the
On 10/27/2009 02:33 AM, Adam Barth wrote:
My technical argument is as follows. I think that CSP would be better
off with a policy language where each directive was purely subtractive
because that design would have a number of simplifying effects:
I couldn't find a comment that summarizes the
On Tue, Oct 27, 2009 at 3:54 PM, Brandon Sterne bste...@mozilla.com wrote:
I couldn't find a comment that summarizes the model you are proposing so
I'll try to recreate your position from memory of our last phone
conversation.
I'll try to find the time to write a complete specification.
I
On 10/27/09 4:32 PM, Adam Barth wrote:
On Tue, Oct 27, 2009 at 3:54 PM, Brandon Sterne bste...@mozilla.com wrote:
My main objection to this approach is that it turns the whitelist approach
we started with into a hybrid whitelist/blacklist.
The design is a pure blacklist. Just like turning