[owasp-intrinsic-security] Application Boundaries Enforcer (ABE) - Call for Input
giorgio.maone at gmail.com
Mon Nov 10 17:25:26 EST 2008
I'm all for advertising this feature in a browser built-in implementation,
but I'm not gonna do it in NoScript because it would bee a too much easy way
to "fingerprint" NoScript users and possibly discriminating them like it
already happened with AdBlock Plus.
On Mon, Nov 10, 2008 at 10:40 PM, Bil Corry <bil at corry.biz> wrote:
> Bil Corry wrote on 11/7/2008 5:33 PM:
> > Giorgio Maone wrote on 11/7/2008 4:07 PM:
> >> I've been an advocate of content restrictions for a long time, and
> >> also helped bsterne with first implementation (Site Security
> >> Policy) The CSRF part of content restrictions has been dropped in
> >> current implementation called Content Security
> >> Policy<http://people.mozilla.org/%7Ebsterne/content-security-policy/
> >> they hope the Origin header will be properly handled either at the
> >> application level or configuring effective server side WAF rules.
> > Something that appears to be missing from the spec is a way for the
> > browser to advertise to the server that it will support Content
> > Security Policy, possibly with the CSP version. By having the
> > browser send an additional header, it allows the server to make
> > decisions about the browser, such as limiting access to certain
> > resources, denying access, redirecting to an alternate site that
> > tries to mitigate using other techniques, etc.
> No replies to this, but putting on my developer hat, without the browser
> advertising if it will follow the CSP directives, I would have to test for
> browser compliance, much like how I currently have to test for cookie and
> - Bil
> owasp-intrinsic-security mailing list
> owasp-intrinsic-security at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the owasp-intrinsic-security