W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2012

Re: [webappsec] CSP META tag support - keep or remove?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 2 Apr 2012 17:17:45 -0700
Message-ID: <CAPfop_2ZPHsR=71cKqXV3anoMJxof--VVuPHDwNcFhargXxc4w@mail.gmail.com>
To: public-webappsec@w3.org
On Fri, Mar 30, 2012 at 9:02 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 3/27/12 3:06 PM, Adam Barth wrote:
>> Let's number the use cases for easy reference (from Brad's message):
>>
>> 1) Support static documents loaded by file: , data: or other non-HTTP methods
>
> Not a common case. A more compelling "web" use-case is for
> situations where authors are given space for content but no control
> over the headers served (example: blog hosting services, the old
> Geocities). At Mozilla we were sad to give this case up when we
> decided policy-uri was safer than a <meta> tag.

To me, applications such as browser extensions (e.g., NoScript and
AdBlock) also count as `web' applications. This falls in the
"documents loaded by non-HTTP methods." Given the massive popularity
of these extensions, I would say it is a significant use case
(certainly not the most common case, but definitely warranting a say)

thanks
dev
Received on Tuesday, 3 April 2012 00:18:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 April 2012 00:18:35 GMT