- From: =JeffH <Jeff.Hodges@KingsMountain.com>
- Date: Tue, 01 Mar 2011 10:29:52 -0800
- To: W3C WebApps WG <public-webapps@w3.org>
- CC: Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>
Adam wrote: > > There's been a bunch of discussion on the public-web-security mailing > list about the scope of CSP. Some folks think that CSP should be a > narrow feature targeted at mitigating cross-site scripting. Other > folks (e.g., as articulated in > <http://w2spconf.com/2010/papers/p11.pdf>) would like to see CSP be > more of a one-stop shop for configuring security-relevant policy for a > web site. Well, to be clear, we (AndyS and I) aren't calling (in the above-cited paper) for CSP per se to address all use cases -- rather, we see it as a non-trivial piece of necessarily multi-faceted approach to crafting a more coherent approach to web application security. That said, we do feel that attenuation of the growth of the number of distinct http header fields would probably be a good thing, which would auger for trying to figure out how, e.g., CSP might address this use case. =JeffH
Received on Tuesday, 1 March 2011 18:30:20 UTC