I have updated the proposal document to reflect the changes I mentioned briefly before. Chief among them are:
1. The name has been changed to Content Security Policy, mainly because the mechanism describes security policies applied to individual _resources_ and not entire websites. The change is intended to reduce confusion. 2. The scope of the proposal has been reduced to just XSS mitigations. We are now recommending the implementation of the Origin header to address CSRF. 3. The policy syntax has been expanded to address a greater number of types of content (not just script). You can view the updated proposal here: http://people.mozilla.org/~bsterne/content-security-policy Cheers, Brandon _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
