Re: Proposed directive for CSP.next: "no-user-js" from Devdatta Akhawe on 2011-12-14 (public-web-security@w3.org from December 2011)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 14 Dec 2011 14:18:55 -0800
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Message-ID: <CAPfop_3VmDHFNNi1cCCC3aFEmg17nxJb4=SqGoXyXYhnOA7RFA@mail.gmail.com>

> Or to put this differently, there is some risk that if you put browser> configuration settings in scope for CSP, you will end up with MSIE> zone model at some point ;-)>
+1.

Is this in scope for CSP? CSP is per-resouce, and this seems to be a
per-site thing. Maybe another header (similar to how STS turns on a
site-wide switch).

=dev
On 14 December 2011 14:15, Michal Zalewski <lcamtuf@coredump.cx> wrote:
> Or to put this differently, there is some risk that if you put browser
> configuration settings in scope for CSP, you will end up with MSIE
> zone model at some point ;-)
>

Received on Wednesday, 14 December 2011 22:19:51 UTC