Adam wrote: > > There's been a bunch of discussion on the public-web-security mailing > list about the scope of CSP. Some folks think that CSP should be a > narrow feature targeted at mitigating cross-site scripting. Other > folks (e.g., as articulated in > <http://w2spconf.com/2010/papers/p11.pdf>) would like to see CSP be > more of a one-stop shop for configuring security-relevant policy for a > web site.
Well, to be clear, we (AndyS and I) aren't calling (in the above-cited paper) for CSP per se to address all use cases -- rather, we see it as a non-trivial piece of necessarily multi-faceted approach to crafting a more coherent approach to web application security.
That said, we do feel that attenuation of the growth of the number of distinct http header fields would probably be a good thing, which would auger for trying to figure out how, e.g., CSP might address this use case.
=JeffH
