In the interest of setting a positive example, I thought I should send out an email about the new feature I'm working on. Ideally, I would have sent out this email earlier in the development cycle, but the policy didn't exist at that time.
== Overview == Content-Security-Policy (CSP) is a way for web sites to mitigate some of their security vulnerabilities by disabling unused browser functionality. For example, a web site can restrict script execution to only external scripts fetched from a whitelist of URLs, mitigating cross-site scripting vulnerabilities. Web sites can supply a Content-Security-Policy for a document either in an HTTP header or in an HTML <meta> element in the document. Over time, we expect to add more directives to the policy language, but for the moment we're focusing on helping web sites mitigate cross-site scripting. == Community Interest === Mozilla is strongly interested in implementing CSP. They've been working on the idea for a couple of years and have shipped an experimental implementation in Firefox 4. There's also significant interest from major web site operators, most publicly from Twitter: http://engineering.twitter.com/2011/03/improving-browser-security-with-csp.html The general approach of content restrictions (of which CSP is one design) has also been thoroughly analyzed by academics as well as by white-hat security researchers. The chrome-team has also expressed interest in using CSP internally to improve the security of some of Chrome's HTML-based UI and of its extension system. Currently, Chrome's bookmark manager is using CSP to mitigate cross-site scripting. == Standards == The appropriate standards forum for discussing Content-Security-Policy is the W3C's public-web-security mailing list: http://lists.w3.org/Archives/Public/public-web-security/ The most recent version of the spec can be found at <https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html>. The W3C staff have circulated a draft charter for a web security working group which would include standards-track work on CSP, but the working group has not yet been formed. == Development Plan == You can follow the implementation of Content-Security-Policy by adding yourself to the CC list of the meta bug: https://bugs.webkit.org/show_bug.cgi?id=53572 I'm developing the feature using the experimental name X-WebKit-CSP. My plan is to track the specification as it evolves. When the specification appears to be stable, we'll rename X-WebKit-CSP to Content-Security-Policy and have some cake. Adam _______________________________________________ webkit-dev mailing list [email protected] http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
