On Jan 12, 5:53 am, Gervase Markham <[email protected]> wrote: > not all end-users have to use it for it to be helpful in the case of a > particular site which is using it. I say this because once the site > owner is warned of the problem, he can fix it. If no-one has CSP, it may > take much longer for people to notice the compromise.
Of course, unless the site breaks in a noticeable way when violations of CSP occur, there is no additional help for the site developer... and I don't believe that CSP is intended to have a violation reporting mechanism. Additionally, it is my impression that a lot of attacks stopped by CSP would break un-noticed. For example, a cross-site exploit that simply embeds a <script> and steals cookies would likely not modify the page visually, so whether or not it fails, the end-user wouldn't notice. Maybe something to add value to CSP support would be a CSP developer mode or warning logo somewhere in the browser that alerts the end-user when a policy is violated. That would indeed be an easy-addon, and perhaps testers could just flip it on for sites they fool with on a daily basis. Or do we want phone-home features for CSP so the browser will automatically tell a site when its policy is violated? This sounds like it could be abused to help sites identify which browsers support CSP (essentially providing that 'this-browser-supports-csp' flag you're arguing against). -Sid _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
