- From: gaz Heyes <gazheyes@gmail.com>
- Date: Fri, 28 Jan 2011 10:19:22 +0000
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: public-web-security@w3.org
- Message-ID: <AANLkTimCozNjFGNuVKmJjKnoVtLB+033pW=4SVfcRzMP@mail.gmail.com>
On 27 January 2011 16:54, Brandon Sterne <bsterne@mozilla.com> wrote: > 6. Policy delivery > a. HTTP header > b. <meta> (or <link>) tag, to be superseded by header if present > c. policy-uri: a URI from which the policy will be fetched; can be > specified in either header or tag > a) Policy shouldn't be defined in a http header it's too messy and what happens when there's a mistake? b) As discussed on the list there is no need to have a separate method as it can be generated by an attacker. If a policy doesn't exist then an attacker can now DOS the web site via meta. c) We have a winner, a http header specifying a link to the policy file is the way to go IMO, my only problem with it is devs implementing it. Yes facebook would and probably twitter would but Dave's tea shop wouldn't pay enough money to hire a web dev who knew how to implement a custom http header yet they would know how to validate HTML. So the question is are we bothered about little sites that are likely to have nice tea and XSS holes? If so I suggest updating the HTML W3C validator to require a security policy to pass validation if not I suggest a policy file delivered by http header.
Received on Friday, 28 January 2011 10:19:55 UTC