W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: [Content Security Policy] A more modular approach

From: Gervase Markham <gerv@mozilla.org>
Date: Wed, 02 Feb 2011 09:37:35 +0000
Message-ID: <4D4925DF.5090103@mozilla.org>
To: Adam Barth <w3c@adambarth.com>
CC: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 01/02/11 18:47, Adam Barth wrote:
> The main risk with that approach is that default-src means something
> different in each implementation.  To be sure you're not breaking
> things, you need to test in every browser.  That said, I don't feel
> that strongly about it.

It does, but what needs to be clear is the message to web developers. 
And I think it can be clear:

"_Assume_ that everything not more specifically specified is covered by 
default-src."

That is true whichever browser you are using.

> Yeah, the more I think about it, the more I think it makes sense to
> lump these together.  The distinctions are pretty subtle.  If we want
> to give authors more control over plug-ins, the ability to control
> which plugins are loaded seems more useful.

So you would be in favour of removing script-src and object-src and just 
having a code-src?

Gerv
Received on Wednesday, 2 February 2011 09:38:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 2 February 2011 09:38:10 GMT