- From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
- Date: Tue, 11 Sep 2012 03:24:46 +0000
- To: public-webappsec@w3.org
webappsec-ISSUE-18 (CSP as risk assessment score): Use CSP to report app risk and compatibility with user specified restrictions http://www.w3.org/2011/webappsec/track/issues/18 Raised by: Brad Hill On product: Last Call comment by Fred Andrews: http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0013.html There are some interesting ideas in this proposal and I suggest trying to recover some of these by changing the approach to communicating the restrictions within which an application can operate. Clients could also use such information to give users a risk assessment of an application - for example an application that does not require JS would be a much lower risk, applications that are not contacting third parties or do not store long term cookies could be rated as more private, applications that use only https could be rated as more secure, etc. It would also allow clients to determine if applications will work under the restrictive settings that they have set. There seems to be scope for a much more positive contribution here, and it needs to take into account client extensions which could be a difficult issue to resolve.
Received on Tuesday, 11 September 2012 03:24:47 UTC