Sid Stamm wrote: > I'm not sure I agree with that... take for instance a browser that > only supports SSL v2 (and not 3):
That's a difficult "for instance" to accept, because there aren't any. At least, not that anyone uses. > a site concerned with avoiding MITM > attacks might serve different content (or none) to someone whose > browser only supports SSL v2, and serve all the site's content to > someone whose browser supports v3. That doesn't warrant blocking > content to all visitors regardless of what security constructs their > browser supports. Right. In that far-fetched scenario, they might. But the security provided by SSL (privacy, authentication) is very different to the security provided by CSP (anti-XSS), so the analogy doesn't hold. Security is a multi-faceted beast. > I see your point. One would hope X is not *designed* to be unsafe, > but it might not be rock-solid, with a history of security issues > (like Flash). The webmaster might not feel completely comfortable > with his mastery of it, so only feels comfortable providing Flash- > based content to people whose browsers will help protect them. In which case, for the forseeable future, he won't be providing it to many people. :-) Again, CSP is here being used as a front line of defence, and it shouldn't be. Another feature of CSP is "herd immunity" - it doesn't have to be used by everyone to be helpful. Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
