On Fri, Feb 6, 2015 at 7:21 AM, John Wong <gokoproject@gmail.com> wrote: > My 3.1415 cents basically say CSP-based reporting is very helpful even > with the noise. I always think there should be one single reporting > mechanism for all the security headers, rather than asking developer to > write code and detect the UI/Browser warning and find their code is causing > trouble. And this needs to be outside of CSP, a superset reporting > mechanism that CSP can forward to. I tend to think of it like shipping logs > to logstash. This can be a whole different header... > Sounds like an interesting proposal! Perhaps we could flesh it out in a separate thread? > Now is auto-upgrading sub-resources a good security measure. I agree with > some of the concerns raised in Devdatta's bugzilla report ( > https://bugzilla.mozilla.org/show_bug.cgi?id=776278). I apologize if i am > really shifting the main attention, and please excuse my inability to keep > up with the latest development: > I think the major difference between the current proposal and Dev's bug is the word "auto". If the site needs to opt-into the behavior, then it's significantly less likely that doing so will expose the kind of `http://forbes.com/` vs ` https://forbes.com/` discrepancies; those sites will simply not opt-into the behavior. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 6 February 2015 08:13:40 UTC