That depends on your definition of reliable. CSP not a panacea, but
it is expected to be able to enforce a set of restrictions that are
reliable. Reliability is an aspect of any feature in the browser I
image so its not like we can dodge that. To rely on those particular
restrictions sites will have to try to determine if the UA supports
it, which it will try to do (poorly) by mapping UA versions to CSP
support.
I don't mean to try to short circuit the conversation around this but
I feel like we've gone several rounds on versioning and I'm trying to
figure out if there are any additional issues we haven't already
discussed. If the major objection is that developers may some day
actually rely on CSP to provide a set of security mitigation then I
can honestly say that's a problem I'd be happy to have. Thanks,
Lucas.
On Apr 10, 2009, at 7:06 AM, Gervase Markham wrote:
But by design, it can't be entirely reliable, because it can't read
the developer's mind. Or have you got the ESP module working
properly now? :-)
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
