Hi Gerv,
Well, I think any security feature/model has to have some properties
that are reliable. So CSP may not prevent XSS is the blanket sense,
but it still needs to be able to enforce some set of restrictions that
the developer can rely upon.
Certainly the language within http://people.mozilla.org/~bsterne/content-security-policy/details.html
is unambiguous (i.e. "Scripts from non-white-listed hosts will not
be requested or executed", not "Scripts from non-white-listed hosts
may or may not be requested or executed"). Thanks,
Lucas.
On Dec 17, 2008, at 12:23 PM, Gervase Markham wrote:
Lucas Adamski wrote:
From this discussion I'm still seeing good reasons to have a version
flag; mainly to allow servers to detect whether a given client
supports
CSP (and what version of it) in an unequivocal manner.
How do you react to my point that they shouldn't need to know that
because, if they do, it means they are relying on CSP, which they
shouldn't be?
If a server is to rely on CSP to reliably enforce security
constraints
If it's doing that, it's broken. CSP is explicitly not designed for
this. (As I understand it.)
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
