- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 24 Jan 2011 15:52:30 -0800
- To: Gervase Markham <gerv@mozilla.org>
- Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, John Wilander <john.wilander@owasp.org>, Michal Zalewski <lcamtuf@coredump.cx>, gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org, Joel Howard Willis Weinberger <jww@eecs.berkeley.edu>
On Mon, Jan 24, 2011 at 10:29 AM, Gervase Markham <gerv@mozilla.org> wrote: > On 24/01/11 05:47, Devdatta Akhawe wrote: >> I would also add developing policies for common applications like >> Drupal, WordPress, MediaWiki etc. We tried to develop a CSP policy for >> BugZilla and it seemed too much work to do it without enabling >> inline-scripts. > > Did you communicate with the Bugzilla development team while doing this? I > didn't see anything cross the mailing list... Getting Bugzilla in a state > where it can have a CSP policy would be a great thing. Why not file a bug > about it? We did this as an experiment to evaluate how easy it was to deploy CSP on a real web site. Joel can tell you more of the details. We eventually got it working, although we had to do some work to avoid losing performance. Adam
Received on Monday, 24 January 2011 23:53:30 UTC