W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 01 Feb 2011 09:04:54 -0800
Message-ID: <4D483D36.5010904@mozilla.com>
To: Gervase Markham <gerv@mozilla.org>
CC: Adam Barth <w3c@adambarth.com>, Lucas Adamski <ladamski@mozilla.com>, public-web-security@w3.org
On 02/01/2011 01:45 AM, Gervase Markham wrote:
> The only difference between your proposal and ours is that because allow
> defaults to 'none', CSP as it stands would require 'allow <something>'
> on every policy, whereas yours does away with that. But I'm not seeing
> that as an enormous simplification.

> (We went backwards and forwards on whether allow should default to
> 'none' or *. I wish we'd written down the arguments on both sides.
> Perhaps Brandon or Lucas can remember some of them. If it defaulted to
> *, then our proposals would be equivalent.)

The case for a default policy of 'none' is that it is more secure, while
the case for default * is that it's more compatible.  In the thread I
started yesterday, "[Content Security Policy] A more modular approach",
I'm advocating switching to a default * policy (and making default-src
optional) so we can reconcile the two models and move forward.

-Brandon
Received on Tuesday, 1 February 2011 17:05:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 February 2011 17:05:27 GMT