Re: [Content Security Policy] Proposal to move the debate forward

On 27 January 2011 16:54, Brandon Sterne <> wrote:

> 6. Policy delivery
>   a. HTTP header
>   b. <meta> (or <link>) tag, to be superseded by header if present
>   c. policy-uri: a URI from which the policy will be fetched; can be
>      specified in either header or tag

a) Policy shouldn't be defined in a http header it's too messy and what
happens when there's a mistake?

b) As discussed on the list there is no need to have a separate method as it
can be generated by an attacker. If a policy doesn't exist then an attacker
can now DOS the web site via meta.

c) We have a winner, a http header specifying a link to the policy file is
the way to go IMO, my only problem with it is devs implementing it. Yes
facebook would and probably twitter would but Dave's tea shop wouldn't pay
enough money to hire a web dev who knew how to implement a custom http
header yet they would know how to validate HTML. So the question is are we
bothered about little sites that are likely to have nice tea and XSS holes?
If so I suggest updating the HTML W3C validator to require a security policy
to pass validation if not I suggest a policy file delivered by http header.

Received on Friday, 28 January 2011 10:19:55 UTC