Oct 102010

I spent today working on documentation for Content Security Policy. It’s not quite done yet, but I have written much of it. If someone would like to look it over, that would be fantastic, as that would let me get it finished up tomorrow.

I’ll be writing about CSP reports tomorrow.

If you’re not familiar with CSP, it’s a new technology that lets a site tell the browser from where content is allowed to be loaded. By using a known, carefully designed method for sharing information about legitimate domains from which to load content, the browser and server can work together to help mitigate a wide variety of attacks.

I’m not really a big security guy, but this is still pretty cool. You should look into it. The best part is that it gently falls back to working normally if either the web server or the browser doesn’t support CSP.

 Posted by at 11:16 AM

  3 Responses to “Content Security Policy documentation in progress”

  1. Typo in ‘Default CSP Restrictions’:
    “forces content to be kept entirely separate from content” – first “content” should be “script”

  2. Good catch; thanks!

  3. I looked through it and corrected a typo or two, and I also send feedback to Brandon and Sid, the CSP spec authors, about some clarifications necessary. Sid says he hopes to look over your docs by the end of the week.