To be honest, I hate the idea that one should disable large parts of
emerging standard capability such as Javascript, CSS, fonts, ... this
just makes web designers have to deal with users demanding all forms of
crippling be supported.
Far better to sandbox, as Chromium does with its version of Webkit.
That fixes the issue where it really lies.
If there is an option to cripple Javascript, please keep it a
compile-time option.
On 03/18/2010 11:44 AM, Michael A. Peters wrote:
I have recently become a big fan of Midori primarily due to its
rendering speed. The one thing that keeps me using Firefox is the
NoScript extension.
Firefox also is doing some work on something called Content Security
Policy, which I am already implementing on my web sites.
I think it would be wonderful if webkit could implement content
security policy, and allow users to optionally define default policies
that can over ride the web site defined policy (if one exists) to make
the policy stricter.
IE I could set default policy to allow CSS, image, video, audio from
anywhere but only allow script,embed,object from white listed web sites.
This would give me much the same security as NoScript gives when using
web kit browsers and would also let me benefit from policy
restrictions that web masters themselves set.
Default should be allow all so that web sites that do not use CSP do
not have blocked resources unless the user wants the additional
protection (in which case the user can add white listed domains etc.)
but doing it this way kills two birds with one stone - it implements
CSP and provides functionality similar to NoScript for those of us who
want it.
Of course if a web sites does send the CSP header, user defined CSP
should only tighten the policy, never loosen the policy.
Is this the kind of thing Webkit might be interested in implementing?
I really like NoScript, blocking unwanted flash and JS garbage that do
things with my browser that I do not want done is a real benefit to me.
_______________________________________________
webkit-gtk mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-gtk
_______________________________________________
webkit-gtk mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-gtk
