Content Security Policy update
A quick update about CSP. Browsers are well on their way to all adopt the specification.
An early draft was already adopted by Firefox 4, and I just found out that it's also working in Chrome, Safari and IE 10.
IE10 and FF are using the following header:
- X-Content-Security-Policy: default-src 'self'
While Safari and Chrome use:
- X-Webkit-CSP: default-src 'self'
When the specification is finalized, the X- will be dropped, and it will simply be 'Content-Security-Policy'.
A call for support
Hi Developers! Start implementing this feature! It's important for the future and security of the web. The web's biggest vulnerability, from what I understand, is still XSS, but if people start to properly implement CSP, XSS can effectively be a thing from the past.