[webkit-gtk] Client side security policy?

Michael A. Peters mpeters at mac.com
Thu Mar 18 08:44:23 PDT 2010

I have recently become a big fan of Midori primarily due to its 
rendering speed. The one thing that keeps me using Firefox is the 
NoScript extension.

Firefox also is doing some work on something called Content Security 
Policy, which I am already implementing on my web sites.

I think it would be wonderful if webkit could implement content security 
policy, and allow users to optionally define default policies that can 
over ride the web site defined policy (if one exists) to make the policy 

IE I could set default policy to allow CSS, image, video, audio from 
anywhere but only allow script,embed,object from white listed web sites.

This would give me much the same security as NoScript gives when using 
web kit browsers and would also let me benefit from policy restrictions 
that web masters themselves set.

Default should be allow all so that web sites that do not use CSP do not 
have blocked resources unless the user wants the additional protection 
(in which case the user can add white listed domains etc.) but doing it 
this way kills two birds with one stone - it implements CSP and provides 
functionality similar to NoScript for those of us who want it.

Of course if a web sites does send the CSP header, user defined CSP 
should only tighten the policy, never loosen the policy.

Is this the kind of thing Webkit might be interested in implementing?
I really like NoScript, blocking unwanted flash and JS garbage that do 
things with my browser that I do not want done is a real benefit to me.

More information about the webkit-gtk mailing list