bsterne wrote: > http://people.mozilla.com/~bsterne/site-security-policy
This is an interesting proposal. Here are some thoughts: - Are we concerned about the bandwidth used by the additional headers, or are the days of worrying about a few bytes overhead per request long past? - I am concerned about the performance implications of making a preliminary HEAD request for every cross-site resource, which is needed to enable Request-Source. Has this been analysed at all? The impact would be significantly reduced if we were to do such checks only for unsafe HTTP verbs (i.e. POST rather than GET). The vast majority of cross-site requests (e.g. images, searches) are GETs. - "When any Script-Source instruction is received by the browser script enforcement mode is enabled and only white-listed hosts will be treated as valid sources of script for the page. Any script embedded within the page and any script included from non-white-listed hosts will not be executed." This means that all script has to be in external .js files. (This is one of the differences in approach from Content-Restrictions.) While this is an encouragement of best practice in JS authorship (unobtrusive script, addition of event handlers using addEventListener() and so on) would site authors find it too restrictive? - I am assuming that the script-removal required by Script-Source would be done at parse time. Is that correct? - Is it worth having a special value for Script-Source and Request-Target, such as "domain", to enable all sites in the same domain (as defined by the Public Suffix List, http://www.publicsuffixlist.org) to receive requests, rather than making the site owner list them explicitly? - Report-URI is a truly fantastic idea. It should support page- and site-relative URIs too, in order to keep the header size down. e.g. Report-URI: /error-collector.cgi - Perhaps via an extension, the browser could also support notifying the user/web developer of policy violations. - Can you more carefully define the relative priority and order of application of allow and deny rules in e.g. Script-Source? - Do you plan to permit these policies to also be placed in <meta http-equiv=""> tags? There are both pros and cons to this, of course. Hope that's helpful :-) Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
