Re: [Content Security Policy] Proposal to move the debate forward

On Mon, Jan 31, 2011 at 5:36 AM, gaz Heyes <> wrote:
> Ok I've thought about this, IMO here is what you need:-
> 1) Policy editor. A online/offline editor to create policy scripts with a
> nice UI.

IMO, if this needs a policy editor, it's vastly too complicated for
the web.  Policy editors put me in mind of SELinux.

> 2) Validator. You need to validate policies, so we know what they are doing
> instead of thinking we know what they're doing. Should CSP refuse to load
> sites with invalid policies or syntax errors? I think yes.

XML-style well-formedness is usually not looked upon kindly for web
standards.  It makes it much too easy to DoS your site by accident,
and doesn't have much benefit.  Parsing should be well-defined in the
face of errors, and whatever policies you're able to parse should be
applied, with an error printed to the console.

Received on Tuesday, 1 February 2011 00:41:13 UTC