Re: Scope and complexity (was Re: More on XSS mitigation) from gaz Heyes on 2011-01-25 (public-web-security@w3.org from January 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 25 Jan 2011 22:03:09 +0000
To: Adam Barth <w3c@adambarth.com>
Cc: Brandon Sterne <bsterne@mozilla.com>, Gervase Markham <gerv@mozilla.org>, Lucas Adamski <lucas@mozilla.com>, public-web-security@w3.org
Message-ID: <AANLkTin5_zjKOLCrw6p1OfVXmgoMqEViS6OL4D6a9W24@mail.gmail.com>

On 25 January 2011 21:45, Adam Barth <w3c@adambarth.com> wrote:

> I guess I wish we had an extensibility model more like HTML where we
> could grow the security protections over time.  For example, we can
> probably agree that both <canvas> and <video> are great additions to
> HTML that might not have made sense when folks were designing HTML
> 1.0.
>

Glad you're coming around to my way of thinking =)

 X-Content-Security-Policy: policy.csp

policy.csp:-
* {
 origin:same-domain;
}
img {
 src:proxy-only;
 proxy:url(http://www.gmodules.com/ig/proxy?url=);
}
a {
 onclick:true;
}

This makes so much sense and easy to understand for devs, can be validated
and you can use existing technology (ie. CSS parsers) to  parse the policy
file. I'll shut up now

Received on Tuesday, 25 January 2011 22:03:42 UTC