W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: No Recognized Directives problem

From: Brandon Sterne <bsterne@mozilla.com>
Date: Mon, 11 Apr 2011 15:23:44 -0700
Message-ID: <4DA37F70.4060305@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
On 3/28/11 1:36 PM, Brandon Sterne wrote:
> On 03/27/2011 05:10 PM, Adam Barth wrote:
>> https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
>> says:
>>
>> [[
>> When a user-agent receives a policy that contains no directives
>> recognized by the user-agent, the user-agent MUST discard the entire
>> policy and enforce a policy of default-src 'none' on the protected
>> resource. User-agents SHOULD report a warning message to the error
>> console communicating that an invalid policy was received.
>> ]]
>>
>> That seems like a bad idea.  What happens when we invent some
>> directive in the future that is more popular that any of our current
>> directives?  Sites won't be able to use the new directive alone
>> because down-rev browsers will break their site by turning off all
>> resource loads!
>>
>> Adam

I pushed this change removing all effects of a policy containing zero
valid directives:
https://dvcs.w3.org/hg/content-security-policy/rev/1f104f20a225

Cheers,
Brandon
Received on Monday, 11 April 2011 22:24:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 11 April 2011 22:25:18 GMT