[webkit-gtk] Client side security policy?
Michael A. Peters
mpeters at mac.com
Thu Mar 18 08:44:23 PDT 2010
I have recently become a big fan of Midori primarily due to its
rendering speed. The one thing that keeps me using Firefox is the
Firefox also is doing some work on something called Content Security
Policy, which I am already implementing on my web sites.
I think it would be wonderful if webkit could implement content security
policy, and allow users to optionally define default policies that can
over ride the web site defined policy (if one exists) to make the policy
IE I could set default policy to allow CSS, image, video, audio from
anywhere but only allow script,embed,object from white listed web sites.
This would give me much the same security as NoScript gives when using
web kit browsers and would also let me benefit from policy restrictions
that web masters themselves set.
Default should be allow all so that web sites that do not use CSP do not
have blocked resources unless the user wants the additional protection
(in which case the user can add white listed domains etc.) but doing it
this way kills two birds with one stone - it implements CSP and provides
functionality similar to NoScript for those of us who want it.
Of course if a web sites does send the CSP header, user defined CSP
should only tighten the policy, never loosen the policy.
Is this the kind of thing Webkit might be interested in implementing?
I really like NoScript, blocking unwanted flash and JS garbage that do
things with my browser that I do not want done is a real benefit to me.
More information about the webkit-gtk