W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

Re: Proposed directive for CSP.next: "no-user-js"

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 14 Dec 2011 14:18:55 -0800
Message-ID: <CAPfop_3VmDHFNNi1cCCC3aFEmg17nxJb4=SqGoXyXYhnOA7RFA@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
> Or to put this differently, there is some risk that if you put browser> configuration settings in scope for CSP, you will end up with MSIE> zone model at some point ;-)>
+1.

Is this in scope for CSP? CSP is per-resouce, and this seems to be a
per-site thing. Maybe another header (similar to how STS turns on a
site-wide switch).

=dev
On 14 December 2011 14:15, Michal Zalewski <lcamtuf@coredump.cx> wrote:
> Or to put this differently, there is some risk that if you put browser
> configuration settings in scope for CSP, you will end up with MSIE
> zone model at some point ;-)
>
Received on Wednesday, 14 December 2011 22:19:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 14 December 2011 22:19:53 GMT