[owasp-intrinsic-security] Application Boundaries Enforcer (ABE) - Call for Input

Bil Corry bil at corry.biz
Tue Nov 11 21:30:40 EST 2008


Giorgio Maone wrote on 11/10/2008 4:25 PM: 
> I'm all for advertising this feature in a browser built-in implementation,
> but I'm not gonna do it in NoScript because it would bee a too much easy way
> to "fingerprint" NoScript users and possibly discriminating them like it
> already happened with AdBlock Plus.

I agree, I was strictly talking about CSP.

Getting back to your original request, the biggest challenge for ABE that I see is the UI -- I can tell you that if the average user is required to manually enter those rules, or if they must decide what is/isn't allowed, AND especially if their choices break the web applications they're using, then most likely they'll turn it off.  The default settings should strive to require the least amount of input from the user as possible (with "none" being the ideal).


- Bil




More information about the owasp-intrinsic-security mailing list