- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 2 Apr 2012 18:33:12 -0700
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: public-webappsec@w3.org
On Mon, Apr 2, 2012 at 5:17 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > On Fri, Mar 30, 2012 at 9:02 AM, Daniel Veditz <dveditz@mozilla.com> wrote: >> On 3/27/12 3:06 PM, Adam Barth wrote: >>> Let's number the use cases for easy reference (from Brad's message): >>> >>> 1) Support static documents loaded by file: , data: or other non-HTTP methods >> >> Not a common case. A more compelling "web" use-case is for >> situations where authors are given space for content but no control >> over the headers served (example: blog hosting services, the old >> Geocities). At Mozilla we were sad to give this case up when we >> decided policy-uri was safer than a <meta> tag. > > To me, applications such as browser extensions (e.g., NoScript and > AdBlock) also count as `web' applications. This falls in the > "documents loaded by non-HTTP methods." Given the massive popularity > of these extensions, I would say it is a significant use case > (certainly not the most common case, but definitely warranting a say) Note: Chrome has added support for Content-Security-Policy natively in its extension system: http://code.google.com/chrome/extensions/contentSecurityPolicy.html That's generally a better approach that the <meta> element because the policy is enforced immediately and for all the resources in the extension. Adam
Received on Tuesday, 3 April 2012 01:34:14 UTC