W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Mon, 31 Jan 2011 19:40:21 -0500
Message-ID: <AANLkTim8fx69N-uFBQSwrqSprV0E_6ih+5bCbA41q_0o@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Gervase Markham <gerv@mozilla.org>, public-web-security@w3.org
On Mon, Jan 31, 2011 at 5:36 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> Ok I've thought about this, IMO here is what you need:-
>
> 1) Policy editor. A online/offline editor to create policy scripts with a
> nice UI.

IMO, if this needs a policy editor, it's vastly too complicated for
the web.  Policy editors put me in mind of SELinux.

> 2) Validator. You need to validate policies, so we know what they are doing
> instead of thinking we know what they're doing. Should CSP refuse to load
> sites with invalid policies or syntax errors? I think yes.

XML-style well-formedness is usually not looked upon kindly for web
standards.  It makes it much too easy to DoS your site by accident,
and doesn't have much benefit.  Parsing should be well-defined in the
face of errors, and whatever policies you're able to parse should be
applied, with an error printed to the console.
Received on Tuesday, 1 February 2011 00:41:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 February 2011 00:41:14 GMT