On 19.09.2013 20:30, Daniel Veditz wrote: >> The only question that remains, is how hard is it to apply a CSP to >> non-HTTP documents and XUL documents (like about:newtab)? > > At the moment, hard; trivial once we support the CSP 1.1 <meta> tag > feature. Well, actually, adding the CSP policies isn't going to be the > hard part, fixing up all the pages will take a lot of work. >
Is that because those pages are not transmitted over HTTP or because our existing CSP implementation doesn't really know how to handle the XUL? > It'd be safer to automatically impose a policy but that would break so > many add-ons that it would take great political will to make that kind > of change even if we let add-ons opt-out of the imposition. > I'd love to avoid implicitly attaching policies to web pages. It sounds like a good thing to go "default secure", but I nobody will be happy if we break add-ons. > -Dan Veditz _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security