W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: [Content Security Policy] A more modular approach

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 01 Feb 2011 09:14:08 -0800
Message-ID: <4D483F60.2040607@mozilla.com>
To: Jochen Eisinger <eisinger@google.com>
CC: public-web-security@w3.org
On 02/01/2011 04:40 AM, Jochen Eisinger wrote:
> Hey,
> 
> I might be overlooking something, but will this proposal allow for
> blocking sources based on the protocol used, i.e. to support the use
> case of disallowing resources served via http from and https site?

Indeed.  Both Adam's and Mozilla's proposals optionally allow schemes
(and ports) to be whitelisted in the policy.  In the use case you
mentioned, a policy might look like:
default-src https://*

or:
default-src https://*:443 ; script-src https://my.site:443

Cheers,
Brandon
Received on Tuesday, 1 February 2011 17:14:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 February 2011 17:14:38 GMT