On 20 January 2011 21:47, Brandon Sterne <bsterne@mozilla.com> wrote: > I don't think the use of HTML tags instead of HTTP headers is > well-justified. The obvious drawback to using <meta> tags is that the > whole model can be subverted by an attacker who manages to inject his > attack code or bogus policy tag above the site's legitimate policy tag. > Mozilla considered the use of <meta> tags as an alternative to the > header, but we ultimately decided that the risk outlined above outweighs > the usability gained by allowing the policy to be expressed as a tag. > I sort of agree with this even though I suggested a link tag however the average dev won't use HTTP headers! They will be to complex to configure and nobody will apply the rules correctly or even know which rules they should be using. One way would be to automatically look for the existence of a CSP file in the root of the server, I know it's bad that the browser makes a extra http request but that way the dev only needs to create a policy file on the server. I think we should have policy files that mimic CSS syntax and even provide W3c validation, devs are obsessed with validating their HTML they even place images saying that the site is validated and it is a requirement for some companies to have a correctly formed site, if the site doesn't validate because it doesn't have a correct security policy then devs will be forced to make one. We can force security on them :)
Received on Thursday, 20 January 2011 22:11:45 UTC