Re: [webappsec] CSP META tag support - keep or remove?

On Fri, Mar 30, 2012 at 9:02 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 3/27/12 3:06 PM, Adam Barth wrote:
>> Let's number the use cases for easy reference (from Brad's message):
>>
>> 1) Support static documents loaded by file: , data: or other non-HTTP methods
>
> Not a common case. A more compelling "web" use-case is for
> situations where authors are given space for content but no control
> over the headers served (example: blog hosting services, the old
> Geocities). At Mozilla we were sad to give this case up when we
> decided policy-uri was safer than a <meta> tag.

To me, applications such as browser extensions (e.g., NoScript and
AdBlock) also count as `web' applications. This falls in the
"documents loaded by non-HTTP methods." Given the massive popularity
of these extensions, I would say it is a significant use case
(certainly not the most common case, but definitely warranting a say)

thanks
dev

Received on Tuesday, 3 April 2012 00:18:35 UTC