> - Do you plan to permit these policies to also be placed in <meta > http-equiv=""> tags? There are both pros and cons to this, of course.
Might it be a valuable idea to support a similar reference mechanism to the way that the P3P compact policy is supported? :: The location of the policy reference file can be indicated using one of four mechanisms. The policy reference file :: 1. may be located in a predefined "well-known" location, or :: 2. a document may indicate a policy reference file through an HTML link tag, or :: 3. a document may indicate a policy reference file through an XHTML link tag, or :: 4. through an HTTP header. (See http://www.w3.org/TR/P3P/#ref_syntax.) A similar hierarchy could be implemented and using a "known location" would address the bandwidth issue for sites that have this concern. I do agree that there are specific cons to allowing tags within the HTML source. Perhaps an overarching policy declaration could be implemented in the "known location" that allows or disallows the HTML or XHTML tag. As Gerv has previously proposed, I also would like to see some form of Content Restrictions implemented (http://www.gerv.net/security/content- restrictions/). I'm thinking specifically of the "header" option. I wonder if forcing all the JavaScript content to be externally referenced could be too restrictive for some application models. It might be acceptable for some organizations to assume the risk of allowing JavaScript solely into the HTML head of the page as this would allow page specific event handlers to be more easily delivered. While user supplied data sometimes does occur between the head tags, this risk might appear acceptable for some applications. Thanks. Danny _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
