W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2012

Re: [webappsec] CSP META tag support - keep or remove?

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 2 Apr 2012 18:33:12 -0700
Message-ID: <CAJE5ia8WUAVZuohTc3jq-n+TY80vwj79YK_F3JQDs_vZO5bXeg@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: public-webappsec@w3.org
On Mon, Apr 2, 2012 at 5:17 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> On Fri, Mar 30, 2012 at 9:02 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
>> On 3/27/12 3:06 PM, Adam Barth wrote:
>>> Let's number the use cases for easy reference (from Brad's message):
>>>
>>> 1) Support static documents loaded by file: , data: or other non-HTTP methods
>>
>> Not a common case. A more compelling "web" use-case is for
>> situations where authors are given space for content but no control
>> over the headers served (example: blog hosting services, the old
>> Geocities). At Mozilla we were sad to give this case up when we
>> decided policy-uri was safer than a <meta> tag.
>
> To me, applications such as browser extensions (e.g., NoScript and
> AdBlock) also count as `web' applications. This falls in the
> "documents loaded by non-HTTP methods." Given the massive popularity
> of these extensions, I would say it is a significant use case
> (certainly not the most common case, but definitely warranting a say)

Note: Chrome has added support for Content-Security-Policy natively in
its extension system:

http://code.google.com/chrome/extensions/contentSecurityPolicy.html

That's generally a better approach that the <meta> element because the
policy is enforced immediately and for all the resources in the
extension.

Adam
Received on Tuesday, 3 April 2012 01:34:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 April 2012 01:34:15 GMT