[owasp-intrinsic-security] Application Boundaries Enforcer (ABE) - Call for Input

Bil Corry bil at corry.biz
Fri Nov 7 18:33:20 EST 2008

Giorgio Maone wrote on 11/7/2008 4:07 PM: 
> I've been an advocate of content restrictions for a long time, and also
> helped bsterne with first implementation (Site Security Policy)
> The CSRF part of content restrictions has been dropped in current
> implementation called Content Security
> Policy<http://people.mozilla.org/%7Ebsterne/content-security-policy/>because
> they hope the Origin header will be properly handled either at the
> application level or configuring effective server side WAF rules.

Something that appears to be missing from the spec is a way for the browser to advertise to the server that it will support Content Security Policy, possibly with the CSP version.  By having the browser send an additional header, it allows the server to make decisions about the browser, such as limiting access to certain resources, denying access, redirecting to an alternate site that tries to mitigate using other techniques, etc.

- Bil

More information about the owasp-intrinsic-security mailing list