- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 31 May 2011 12:00:02 -0700
- To: sird@rckc.at
- CC: Eduardo Vela <sirdarckcat@gmail.com>, public-web-security@w3.org, masatokinugawa@gmail.com
On 5/30/11 10:37 AM, Eduardo Vela wrote: > Could it be possible to whitelist specific files, instead of complete > origins? Maybe even global expressions (e.g. > www.youtube.com/scripts/*.js)? It's a valid suggestion, left out of the current implementation in the interests of simplicity and incrementalism. It is easy to add in the future but hard to take out once supported. CSP as it stands will work in some situations and maybe not quite as well in others. Sites that use YouTube and CSP are no worse off than they already are without CSP, and CSP greatly limits the attack surface in general. I'd like to let CSP go forward with the current site-level whitelisting and collect feedback from sites who have deployed it. It should become clear whether we need the added feature or not. In the present we should make sure "host[:port]/" is ignored as invalid (but not invalidating the entire policy, of course) so we can use the presence of the '/' to distinguish the two cases in the future. > I think forcing the right Content-Type for scripts might be the best > solution, and maybe a rule to override this behavior, comments? I supported this, a bit disappointed it has been dropped. It may not have helped much if people had to override the behavior most of the time. -Dan Veditz
Received on Tuesday, 31 May 2011 19:00:39 UTC