- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Wed, 22 Jul 2009 13:38:08 -0400
On Wed, Jul 22, 2009 at 1:20 PM, Bil Corry<bil at corry.biz> wrote: > If it's desirable to add a 'report only' feature to CSP, I'd prefer see a second CSP-related header (X-Content-Security-Policy-ReportOnly???) that implements it rather than adding it to the CSP header. ?The presence of both headers (CSP and CSPReportOnly) would mean both would be acted upon. I can't see how that makes a difference either way for any purpose, really. It just seems like it would make it slightly more annoying for authors to deploy, and somewhat more confusing (since the presence of one header would drastically change the semantics of another). > There's already been some discussion that authors would iteratively relax CSP until their site worked. ?I can see where an author enables ReportOnly, their site suddenly works and they mistakenly believe it's properly configured and actively protecting their site. They might also make a typo in the policy file that causes Firefox to ignore the whole thing, and mistakenly believe they're being protected. Or they might enable CSP, then allow inline script and import from arbitrary foreign sites because that's what it took for their ads and Analytics to start working again, and think they're protected. You can't really do much to stop people from having a sense of false security if they neither understand nor test their security system. I don't think it's valuable to try.
Received on Wednesday, 22 July 2009 10:38:08 UTC