Gervase Markham wrote on 12/17/2008 2:23 PM: > Lucas Adamski wrote: >> From this discussion I'm still seeing good reasons to have a version >> flag; mainly to allow servers to detect whether a given client supports >> CSP (and what version of it) in an unequivocal manner. > > How do you react to my point that they shouldn't need to know that > because, if they do, it means they are relying on CSP, which they > shouldn't be?
Is CSP suppose to be user-centric or site-centric? By user-centric, I mean is CSP going to be similar to NoScript and AdBlockPlus where it's up to the user to configure its use and behavior, with the site being able to helpfully suggest the appropriate rules for itself? If so, then I agree, sites should not rely on CSP because who knows how the user has configured CSP to behave. By site-centric, I mean is CSP going to be entirely drive by the site, so the lack of a CSP header from the site means there is no CSP protection in place? If so, then it is counter-intuitive that the entire model is premised on the site implementing the CSP header, but the site is blind to how many visitors use it and must not rely on CSP to actually do anything. What I think will happen instead is sites that implement it will have some expectation that it does something (otherwise, why implement it?), and they will test to see which browsers are supporting it. And if there is more than one version of CSP, they'll create multiple tests. - Bil _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
