tag:blogger.com,1999:blog-8079863.post7239672963501078205..comments2024-03-15T21:12:43.843-07:00Comments on the wild web: CSP: with or without meta?Sid Stammhttp://www.blogger.com/profile/08788622306405563565noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-8079863.post-6709922567060997612009-06-30T02:19:35.138-07:002009-06-30T02:19:35.138-07:00Why now allow multiple headers, and keep the inter...Why now allow multiple headers, and keep the intersection algorithm?<br /><br />This way, the hosting company has to provide a special interface for editing the header rather than the customer just being able to type it into the page, but it still allows it to make non-negotiable restrictions. They just serve their restrictions in the first header, and make sure the customer-provided header comes afterwards.<br /><br />This means you still need the policy intersection logic, so that part of complexity isn't removed, but it still allows, at least in some ways, the use case that you were worried about. A compromise, in other words.Gervhttps://www.blogger.com/profile/06079277032027702609noreply@blogger.comtag:blogger.com,1999:blog-8079863.post-2631434643006145192009-06-30T00:09:30.129-07:002009-06-30T00:09:30.129-07:00I tend to agree with the removal of the meta tag. ...I tend to agree with the removal of the meta tag. It will allow for quite a bit of simplification in both the spec and the implementation - and with these things the simpler solution is the better one, it will make it far more likely that other browsers adopt the same approach. The attack targets are typically dynamic pages, those can always change the HTTP headers (with things like SSI being a rare exception - and you have to try hard to make an SSI-based page vulnerable). So it is probably a safe bet that 99% of sites interested in using this feature won't have problems adding HTTP headers.<br /><br />However, it might make sense to allow multiple policy-uri entries. A large website with lots of different applications might want to define a global (not too restrictive) policy. As it stands now, if a particular application needs a more restrictive policy you will need to make a copy of the global policy and modify it - and accept the resulting maintenance effort if the global policy ever changes. Not sure whether this is really an issue worth solving of course, just a thought.Wladimir Palanthttp://adblockplus.org/noreply@blogger.com