Sorry I haven't been more vocal on this thread lately. I think it's
important that we keep our momentum moving forward here if we hope to
get something meaningful implemented any time soon.
I am getting the sense that we aren't in agreement on one or two of
the fundamental goals of this project a
r their asses when they mess
> up. Relying on CSP is using it for something it's not designed for.
>
> bsterne - I'm not talking crack, right?
I think what Lucas is saying is that servers won't send policy to
clients who don't announce that they support CSP.
-Brandon
___
On Nov 17, 2:19 pm, Bil Corry <[EMAIL PROTECTED]> wrote:
> (1) Something that appears to be missing from the spec is a way for
> the browser to advertise to the server that it will support Content
> Security Policy, possibly with the CSP version. By having the browser
> send an additional header,
can view the updated proposal here:
http://people.mozilla.org/~bsterne/content-security-policy
Cheers,
Brandon
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
On Jul 12, 10:35 am, "Evert | Rooftop" <[EMAIL PROTECTED]> wrote:
> Sorry if this was already brought up in this thread (or if its a
> closed subject), but using headers vs. a policy file is a bad idea,
> for the following reasons:
>
> * Allows caching
> * Allows usage of the policy on a site where
On Jul 10, 8:47 am, [EMAIL PROTECTED] wrote:
> The problem is that although solutions exist
> to both of these problems, developers have not properly implemented
> the solution. With your approach of SSP and safe requests, you are
> again relying on the developer to use the solution correctly, and
On Jun 25, 5:22 am, Gervase Markham <[EMAIL PROTECTED]> wrote:
> The documentation for Request-Source is now more complete, but it's a
> bit jumbled. I would make bullet 4 into bullet 2, and remove the second
> sentence because it's repeated in (new) bullet 3.
Good points. I'll make these changes
I've recently published a proposal for Site Security Policy, a
framework for allowing sites to describe how content in their pages
should behave (thanks, Gerv):
http://people.mozilla.com/~bsterne/site-security-policy
I'm creating a placeholder for any discussion that comes o