Giorgio Maone mentioned CSP on the OWASP Intrinsic Security list[1] and I wanted to provide some feedback.
(1) Something that appears to be missing from the spec is a way for the browser to advertise to the server that it will support Content Security Policy, possibly with the CSP version. By having the browser send an additional header, it allows the server to make decisions about the browser, such as limiting access to certain resources, denying access, redirecting to an alternate site that tries to mitigate using other techniques, etc. Without the browser advertising if it will follow the CSP directives, one would have to test for browser compliance, much like how tests are done now for cookie and JavaScript support (maybe that isn't a bad thing?). (2) Currently the spec allows/denies based on the host name, it might be worthwhile to allow limiting it to a specific path as well. For example, say you use Google's custom search engine, one way to implement it is to use a script that sits on www.google.com (e.g. http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en). By having an allowed path, you could prevent loading other scripts from the www.google.com domain. (3) Currently the spec focuses on the "host items" -- has any thought be given to allowing CSP to extend to sites being referenced by "host items"? That is, allowing a site to specify that it can't be embedded on another site via frame or object, etc? I imagine it would be similar to the Access Control for XS-XHR[2]. - Bil [1] https://lists.owasp.org/pipermail/owasp-intrinsic-security/2008-November/000062.html [2] http://www.w3.org/TR/access-control/ _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
