Writing

Software, technology, sysadmin war stories, and more. Feed
Sunday, July 29, 2012

Safari 6 gets Content-Security-Policy right

While I'm talking about improvements in Mountain Lion, I might as well mention something good about Safari 6.

There's something relatively new called Content-Security-Policy which lets you restrict what a web page can do. This lets you deal with potentially evil content (like raw data from untrusted sources) without having to go to extreme lengths. You can turn off inline scripting, deny SCRIPT SRC from all but certain hosts, limit locations for images and fonts, and more.

Firefox got this working last year. I wrote about it back then. I was working on a RSS/Atom feed reader which displayed content inline and didn't want those feeds to have the ability to run scripting in my pages. Discovering CSP let me plug it in on browsers which supported it while adding an explanation for why things were missing on others.

Later on in 2011 or perhaps earlier this year, Chrome picked up CSP compatibility. It uses a different HTTP header (X-WebKit-CSP) than Firefox (X-Content-Security-Policy), but they work the same way. It took a little while to settle down, but eventually Chrome was just as usable as Firefox.

I figured that Safari wouldn't be far behind since it shares a common heritage with Chrome. It took longer than expected, and at some point in version 5, it started almost supporting CSP. Trouble is, it didn't seem to interpret it properly, so it wound up seeing everything on my pages as one big violation. It was a mess.

With Safari 6, the same X-WebKit-CSP directive Just Works. My pages pick this up automatically and will render feed content since it's a relatively safe environment. This brings full compatibility to yet another browser.

I should also mention that I gave fred a dose of Twitter Bootstrap redesign magic just like I did with my scanner project last month. I think it looks a whole lot nicer, and hope everyone else will agree.

Simple redesigns can make a huge difference in terms of usability.