Re: [webappsec] CSP META tag support - keep or remove?

On Mon, Apr 2, 2012 at 5:17 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> On Fri, Mar 30, 2012 at 9:02 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
>> On 3/27/12 3:06 PM, Adam Barth wrote:
>>> Let's number the use cases for easy reference (from Brad's message):
>>>
>>> 1) Support static documents loaded by file: , data: or other non-HTTP methods
>>
>> Not a common case. A more compelling "web" use-case is for
>> situations where authors are given space for content but no control
>> over the headers served (example: blog hosting services, the old
>> Geocities). At Mozilla we were sad to give this case up when we
>> decided policy-uri was safer than a <meta> tag.
>
> To me, applications such as browser extensions (e.g., NoScript and
> AdBlock) also count as `web' applications. This falls in the
> "documents loaded by non-HTTP methods." Given the massive popularity
> of these extensions, I would say it is a significant use case
> (certainly not the most common case, but definitely warranting a say)

Note: Chrome has added support for Content-Security-Policy natively in
its extension system:

http://code.google.com/chrome/extensions/contentSecurityPolicy.html

That's generally a better approach that the <meta> element because the
policy is enforced immediately and for all the resources in the
extension.

Adam

Received on Tuesday, 3 April 2012 01:34:14 UTC