- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Wed, 14 Dec 2011 14:28:11 -0800 (PST)
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: public-web-security@w3.org, Michal Zalewski <lcamtuf@coredump.cx>
> Is this in scope for CSP? CSP is per-resouce, and this seems to be a > per-site thing. Maybe another header (similar to how STS turns on a > site-wide switch). > > =dev This is an instinct that we need to fight. We can't afford to keep creating a new security header every time we want to address a new threat model. We want CSP to be an extensible framework for security, so it's at least fair to suggest that it could grow to address this particular threat. I also don't see why this is inherently a site-wide option, at least why it's any more of a site-wide option than, say, the "don't allow XSS" portion of your policy. -Brandon
Received on Wednesday, 14 December 2011 22:28:40 UTC