Re: Scope and complexity (was Re: More on XSS mitigation)

On 25 January 2011 21:45, Adam Barth <w3c@adambarth.com> wrote:

> I guess I wish we had an extensibility model more like HTML where we
> could grow the security protections over time.  For example, we can
> probably agree that both <canvas> and <video> are great additions to
> HTML that might not have made sense when folks were designing HTML
> 1.0.
>

Glad you're coming around to my way of thinking =)

 X-Content-Security-Policy: policy.csp

policy.csp:-
* {
 origin:same-domain;
}
img {
 src:proxy-only;
 proxy:url(http://www.gmodules.com/ig/proxy?url=);
}
a {
 onclick:true;
}

This makes so much sense and easy to understand for devs, can be validated
and you can use existing technology (ie. CSS parsers) to  parse the policy
file. I'll shut up now

Received on Tuesday, 25 January 2011 22:03:42 UTC