[owasp-intrinsic-security] Application Boundaries Enforcer (ABE) - Call for Input

Bil Corry bil at corry.biz
Mon Nov 10 16:40:00 EST 2008


Bil Corry wrote on 11/7/2008 5:33 PM: 
> Giorgio Maone wrote on 11/7/2008 4:07 PM:
>> I've been an advocate of content restrictions for a long time, and
>> also helped bsterne with first implementation (Site Security
>> Policy) The CSRF part of content restrictions has been dropped in
>> current implementation called Content Security 
>> Policy<http://people.mozilla.org/%7Ebsterne/content-security-policy/>because
>>  they hope the Origin header will be properly handled either at the
>>  application level or configuring effective server side WAF rules.
> 
> Something that appears to be missing from the spec is a way for the
> browser to advertise to the server that it will support Content
> Security Policy, possibly with the CSP version.  By having the
> browser send an additional header, it allows the server to make
> decisions about the browser, such as limiting access to certain
> resources, denying access, redirecting to an alternate site that
> tries to mitigate using other techniques, etc.

No replies to this, but putting on my developer hat, without the browser advertising if it will follow the CSP directives, I would have to test for browser compliance, much like how I currently have to test for cookie and JavaScript support.


- Bil



More information about the owasp-intrinsic-security mailing list