Content Security Policy - Updated Spec

Hello All,

Last summer Mozilla introduced potential Working Group items, among
which was Content Security Policy.  We have done a lot of work refining
this proposal and I would like to re-submit it for comment and critique:

https://wiki.mozilla.org/Security/CSP
https://wiki.mozilla.org/Security/CSP/Spec

Robust mitigation of code injection is the goal of the proposal.  Since
its original submission, the model has changed.  The current proposed
model offers restrictions (triggered via HTTP header or meta tag) on
additional types of content that may be loaded in web applications (e.g.
images, CSS, object, etc.).  Further restrictions on JavaScript use
(e.g. eval(), new Function, etc.) have also been added.

Again, this proposal is not a fait accompli and is currently just a
straw person, though nightly builds of Firefox may introduce a test
implementation.  Feedback on any aspect of the proposal is more than
welcome.  We would like to explore the possibility of creating an open
standard for CSP, so any recommendations toward that end would also be
greatly appreciated.

Note: this proposal is distinct from the work that is being done on the
Origin (name TBD) header [1][2].  CSP and Origin (name TBD) are
orthogonal and address different issues.

Best regards,

Brandon Sterne
Mozilla Security Group

[1] http://tools.ietf.org/html/draft-abarth-origin-00
[2] https://wiki.mozilla.org/Security/Origin

Received on Wednesday, 8 April 2009 00:33:26 UTC