- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Mon, 11 Apr 2011 15:23:44 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-web-security@w3.org
On 3/28/11 1:36 PM, Brandon Sterne wrote: > On 03/27/2011 05:10 PM, Adam Barth wrote: >> https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html >> says: >> >> [[ >> When a user-agent receives a policy that contains no directives >> recognized by the user-agent, the user-agent MUST discard the entire >> policy and enforce a policy of default-src 'none' on the protected >> resource. User-agents SHOULD report a warning message to the error >> console communicating that an invalid policy was received. >> ]] >> >> That seems like a bad idea. What happens when we invent some >> directive in the future that is more popular that any of our current >> directives? Sites won't be able to use the new directive alone >> because down-rev browsers will break their site by turning off all >> resource loads! >> >> Adam I pushed this change removing all effects of a policy containing zero valid directives: https://dvcs.w3.org/hg/content-security-policy/rev/1f104f20a225 Cheers, Brandon
Received on Monday, 11 April 2011 22:24:22 UTC