[owasp-intrinsic-security] Application Boundaries Enforcer (ABE) - Call for Input

Giorgio Maone giorgio.maone at gmail.com
Mon Nov 10 17:25:26 EST 2008


I'm all for advertising this feature in a browser built-in implementation,
but I'm not gonna do it in NoScript because it would bee a too much easy way
to "fingerprint" NoScript users and possibly discriminating them like it
already happened with AdBlock Plus.

On Mon, Nov 10, 2008 at 10:40 PM, Bil Corry <bil at corry.biz> wrote:

> Bil Corry wrote on 11/7/2008 5:33 PM:
> > Giorgio Maone wrote on 11/7/2008 4:07 PM:
> >> I've been an advocate of content restrictions for a long time, and
> >> also helped bsterne with first implementation (Site Security
> >> Policy) The CSRF part of content restrictions has been dropped in
> >> current implementation called Content Security
> >> Policy<http://people.mozilla.org/%7Ebsterne/content-security-policy/
> >because
> >>  they hope the Origin header will be properly handled either at the
> >>  application level or configuring effective server side WAF rules.
> >
> > Something that appears to be missing from the spec is a way for the
> > browser to advertise to the server that it will support Content
> > Security Policy, possibly with the CSP version.  By having the
> > browser send an additional header, it allows the server to make
> > decisions about the browser, such as limiting access to certain
> > resources, denying access, redirecting to an alternate site that
> > tries to mitigate using other techniques, etc.
>
> No replies to this, but putting on my developer hat, without the browser
> advertising if it will follow the CSP directives, I would have to test for
> browser compliance, much like how I currently have to test for cookie and
> JavaScript support.
>
>
> - Bil
>
> _______________________________________________
> owasp-intrinsic-security mailing list
> owasp-intrinsic-security at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20081110/f098f2b0/attachment.html 


More information about the owasp-intrinsic-security mailing list