My OperaThe My Opera forums have been replaced with forums.opera.com. Please head over there to discuss Opera's products and features
See the new ForumsYou need to be logged in to post in the forums. If you do not have an account, please sign up first.
Content Security Policy
I originally posted in the "Security and privacy in Opera" forum, but was told my request may better be served in this section. Security is what Opera brags about and rightly so. FF has a 1 up with the new CSP stuff they have designed, perhaps maybe Opera could one up them with an update that gives Opera the same functionality.
Opera is currently ahead of Chrome in the testing suite mentioned below, but well behind FF as they pass all the tests. I know this isn't the most important security update in the world, but to have it would be another feather in the cap of an already amazing product, Opera.An article on the web about CSP:
http://www.ghacks.net/2011/05/08/firefox-4-supports-content-security-policy/
A testing site for CSP:
http://people.mozilla.org/~bsterne/content-security-policy/demo.cgi
System Specs:
Operating System: Windows 7 Professional
Opera Version: 11.51
Opera Build: 1087
What a nice spec!
https://dvcs.w3.org/hg/content-security-policy/raw-file/bcf1c45f312f/csp-unofficial-draft-20110303.html
-1, its not ready at all.
Issue:
Should an empty policy be treated as default-src 'none' or default-src *?
https://dvcs.w3.org/hg/content-security-policy/raw-file/bcf1c45f312f/csp-unofficial-draft-20110303.html
-1, its not ready at all.
Originally posted by c69:
its not ready at all.
Does that mean that the Content Security Policy spec is not final yet and the spec can be changed a little before it is finalized?
Windows 7 SP1 x86 edition and Windows XP Service Pack 3.
If you need any help from me with regards to Opera, please make a comment on any of my blog posts.
Support Opera wishes
If you need any help from me with regards to Opera, please make a comment on any of my blog posts.
Support Opera wishes
when reading through the changes it indicates first, and also the "unofficial draft" title agrees ...
All my posts only represent my own opinions.
[ Tweedo Monitor - Deluxe Website & Service Monitoring ]
[ Tweedo Monitor - Deluxe Website & Service Monitoring ]
No, it doesn't mean you ignore it, but it doesn't mean that you dedicate your limited workforce to set up something that tomorrow can be changed completely or even removed on a whim. Opera is a pretty good browser at implementing finalized specs. Let other people who do it for the fun or the science be the beta testers.
My Wishlist:
SOCKS ALREADY! + Gopher ∥ sys notifications ∥ +Info Panel ∥ dæmon mode ∥ etc
Mi web
GULIX -- Araucanía
Opera can adapt to the world, but that should not be at the cost of making any of them both stupider
SOCKS ALREADY! + Gopher ∥ sys notifications ∥ +Info Panel ∥ dæmon mode ∥ etc
Mi web
GULIX -- Araucanía
Opera can adapt to the world, but that should not be at the cost of making any of them both stupider
Some things still need to be hashed out, but it most certainly is ready.
Use of the spec in the wild by both webmasters and browsers will help hash out some of the ambiguity.
Use of CSP would neuter a large percentage of XSS attacks. Web masters should start implementing it now.
With respect to the ambiguity you mentioned, there's a simple solution - specify default-src.
I specify default-src 'none' in my CSP header so that there is no question, browsers know that if I don't white list a protocol:host:domain in other directives, it gets blocked.
Chrome now supports CSP in testing, which probably means the other gtk-webkit browsers will follow. Opera really should look into it if they are not already.
Use of the spec in the wild by both webmasters and browsers will help hash out some of the ambiguity.
Use of CSP would neuter a large percentage of XSS attacks. Web masters should start implementing it now.
With respect to the ambiguity you mentioned, there's a simple solution - specify default-src.
I specify default-src 'none' in my CSP header so that there is no question, browsers know that if I don't white list a protocol:host:domain in other directives, it gets blocked.
Chrome now supports CSP in testing, which probably means the other gtk-webkit browsers will follow. Opera really should look into it if they are not already.
Quick FYI: The Content Security Policy spec is moving towards Last Call in the very near future.
It's probably worth your time to take another look at the specification. I think you'll find that the questions that were floating around at the end of last year have been resolved.
Thanks!
It's probably worth your time to take another look at the specification. I think you'll find that the questions that were floating around at the end of last year have been resolved.
Thanks!