W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Gervase Markham <gerv@mozilla.org>
Date: Mon, 31 Jan 2011 10:38:48 +0000
Message-ID: <4D469138.2020703@mozilla.org>
To: gaz Heyes <gazheyes@gmail.com>
CC: public-web-security@w3.org
On 31/01/11 10:36, gaz Heyes wrote:
> 2) Validator. You need to validate policies, so we know what they are
> doing instead of thinking we know what they're doing. Should CSP refuse
> to load sites with invalid policies or syntax errors? I think yes.

It would also be good to have a Firefox extension which applied a policy 
to pages on a defined site, so one could test policies without even 
having to alter your server-side code, or well-meaning people could 
develop sample policies for big websites.

(Basically, it's an HTTP header injector, except it would turn off any 
reporting to the site owner, including events, so they weren't spammed.)

Gerv
Received on Monday, 31 January 2011 10:39:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 31 January 2011 10:39:27 GMT