[webkit-gtk] Client side security policy?

David P. Reed dpreed at reed.com
Thu Mar 18 09:02:23 PDT 2010 

To be honest, I hate the idea that one should disable large parts of 
emerging standard capability such as Javascript, CSS, fonts, ...  this 
just makes web designers have to deal with users demanding all forms of 
crippling be supported.

Far better to sandbox, as Chromium does with its version of Webkit.  
That fixes the issue where it really lies.

If there is an option to cripple Javascript, please keep it a 
compile-time option.

On 03/18/2010 11:44 AM, Michael A. Peters wrote:
> I have recently become a big fan of Midori primarily due to its 
> rendering speed. The one thing that keeps me using Firefox is the 
> NoScript extension.
>
> Firefox also is doing some work on something called Content Security 
> Policy, which I am already implementing on my web sites.
>
> I think it would be wonderful if webkit could implement content 
> security policy, and allow users to optionally define default policies 
> that can over ride the web site defined policy (if one exists) to make 
> the policy stricter.
>
> IE I could set default policy to allow CSS, image, video, audio from 
> anywhere but only allow script,embed,object from white listed web sites.
>
> This would give me much the same security as NoScript gives when using 
> web kit browsers and would also let me benefit from policy 
> restrictions that web masters themselves set.
>
> Default should be allow all so that web sites that do not use CSP do 
> not have blocked resources unless the user wants the additional 
> protection (in which case the user can add white listed domains etc.) 
> but doing it this way kills two birds with one stone - it implements 
> CSP and provides functionality similar to NoScript for those of us who 
> want it.
>
> Of course if a web sites does send the CSP header, user defined CSP 
> should only tighten the policy, never loosen the policy.
>
> Is this the kind of thing Webkit might be interested in implementing?
> I really like NoScript, blocking unwanted flash and JS garbage that do 
> things with my browser that I do not want done is a real benefit to me.
> _______________________________________________
> webkit-gtk mailing list
> webkit-gtk at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-gtk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-gtk/attachments/20100318/1aa713ec/attachment.html>

More information about the webkit-gtk mailing list