W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

Re: Proposed directive for CSP.next: "no-user-js"

From: Brandon Sterne <bsterne@mozilla.com>
Date: Wed, 14 Dec 2011 14:28:11 -0800 (PST)
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: public-web-security@w3.org, Michal Zalewski <lcamtuf@coredump.cx>
Message-ID: <2034948490.37521.1323901691090.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>
> Is this in scope for CSP? CSP is per-resouce, and this seems to be a
> per-site thing. Maybe another header (similar to how STS turns on a
> site-wide switch).
> 
> =dev

This is an instinct that we need to fight.  We can't afford to keep creating a new security header every time we want to address a new threat model.  We want CSP to be an extensible framework for security, so it's at least fair to suggest that it could grow to address this particular threat.

I also don't see why this is inherently a site-wide option, at least why it's any more of a site-wide option than, say, the "don't allow XSS" portion of your policy.

-Brandon
Received on Wednesday, 14 December 2011 22:28:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 14 December 2011 22:28:41 GMT