- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Tue, 07 Apr 2009 17:32:44 -0700
- To: public-webapps@w3.org
Hello All, Last summer Mozilla introduced potential Working Group items, among which was Content Security Policy. We have done a lot of work refining this proposal and I would like to re-submit it for comment and critique: https://wiki.mozilla.org/Security/CSP https://wiki.mozilla.org/Security/CSP/Spec Robust mitigation of code injection is the goal of the proposal. Since its original submission, the model has changed. The current proposed model offers restrictions (triggered via HTTP header or meta tag) on additional types of content that may be loaded in web applications (e.g. images, CSS, object, etc.). Further restrictions on JavaScript use (e.g. eval(), new Function, etc.) have also been added. Again, this proposal is not a fait accompli and is currently just a straw person, though nightly builds of Firefox may introduce a test implementation. Feedback on any aspect of the proposal is more than welcome. We would like to explore the possibility of creating an open standard for CSP, so any recommendations toward that end would also be greatly appreciated. Note: this proposal is distinct from the work that is being done on the Origin (name TBD) header [1][2]. CSP and Origin (name TBD) are orthogonal and address different issues. Best regards, Brandon Sterne Mozilla Security Group [1] http://tools.ietf.org/html/draft-abarth-origin-00 [2] https://wiki.mozilla.org/Security/Origin
Received on Wednesday, 8 April 2009 00:33:26 UTC