W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

JavaScript URLs and script-src nit

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 18 Feb 2011 18:09:55 -0800
Message-ID: <AANLkTi=1PY-GfyXbKZx+OEiF=f2cVJmUAtAJgROm+vGi@mail.gmail.com>
To: public-web-security@w3.org
In the Mozilla CSP spec, the presence of any Content-Security-Policy
at all triggers blocking of JavaScript URL.  I think it would make
more sense to trigger blocking of JavaScript URLs on the script-src
directive (including the default-src directive, which implies a
script-src).  IMHO, the empty CSP policy (e.g., "") shouldn't have any
effects.

Technically, this isn't really a change from the Mozilla CSP spec
because the Mozilla CSP spec used to require that all policies had a
default-src (then called "allow").  This difference is only detectable
now because default-src is optional.

Thoughts?
Adam
Received on Saturday, 19 February 2011 02:10:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 19 February 2011 02:11:00 GMT