On Thu, Oct 22, 2009 at 12:36 PM, Mike Ter Louw <mter...@uic.edu> wrote: > In this case, this boils down to: should CSP directives be threat-centric or > content-type-centric? Alternatively, this may be an example of CSP being > too granular.
I suspect we'll need to experiment with different approaches before we have a good idea how to answer this question. In intuition tells me that we'd be better off with a threat-centric design, but it's hard to know ahead of time. On Thu, Oct 22, 2009 at 12:53 PM, Mike Ter Louw <mter...@uic.edu> wrote: > Is it acceptable (not too strict) to block all form submission to non-self > and non-whitelisted action URIs when the anti-csrf directive is given? If > so, then the above usability issue may be moot: we can have anti-csrf imply > an as-yet-undefined directive that blocks form submission. Instead of bundling everything together into "anti-csrf", we might be better off with a directive to control where you can submit forms, e.g., "form-action", but we seem to be getting far afield of the problem you're trying to solve. At a high level, I'm glad that you took the time to add your ideas to the wiki, and I hope that other folks will do the same. My personal opinion is that the current design has room for improvement, particularly around clarifying precisely what problem the module is trying to solve, but my opinion is just one among many. I'd like to encourage more people to contribute their ideas in the form of experimental modules, and hopefully the best ideas will rise to the top. Adam _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
