W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: Scope and complexity (was Re: More on XSS mitigation)

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 25 Jan 2011 22:03:09 +0000
Message-ID: <AANLkTin5_zjKOLCrw6p1OfVXmgoMqEViS6OL4D6a9W24@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Brandon Sterne <bsterne@mozilla.com>, Gervase Markham <gerv@mozilla.org>, Lucas Adamski <lucas@mozilla.com>, public-web-security@w3.org
On 25 January 2011 21:45, Adam Barth <w3c@adambarth.com> wrote:

> I guess I wish we had an extensibility model more like HTML where we
> could grow the security protections over time.  For example, we can
> probably agree that both <canvas> and <video> are great additions to
> HTML that might not have made sense when folks were designing HTML
> 1.0.
>

Glad you're coming around to my way of thinking =)

 X-Content-Security-Policy: policy.csp

policy.csp:-
* {
 origin:same-domain;
}
img {
 src:proxy-only;
 proxy:url(http://www.gmodules.com/ig/proxy?url=);
}
a {
 onclick:true;
}

This makes so much sense and easy to understand for devs, can be validated
and you can use existing technology (ie. CSS parsers) to  parse the policy
file. I'll shut up now
Received on Tuesday, 25 January 2011 22:03:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 25 January 2011 22:03:44 GMT