Thoughts on Declaring Security Policies


My thoughts about Mozilla’s Content Security Policy proposal were just published over on the IEBlog.  I actually have quite a bit more to say (at even greater length :-) about declarative security mechanisms, and some more technical feedback specific to CSP.  I hope to make a number of posts on this topic to this (IEInternals) blog over the coming months, and continue to engage directly with the smart folks working on CSP over at Mozilla.


Until then, if you’ve got a suggestion for security features (declarative or other) that you think would be valuable for browsers to offer, feel free to sound off in the comments below!


thanks,


Eric

Comments (2)

  1. EricLaw says:

    The Mozilla folks requested that I post my detailed feedback publicly.  If you’re interested in the gory details, you can find them here:

    http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/571f1495e6ccf822#

  2. EricLaw says:

    Ian Hickson, editor of HTML5, weighed in with his feedback here: http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/87ebe5cb9735d8ca#

    His conclusion?  "I think CSP is orders of magnitude too complicated to be a successful security mechanism on the Web. "