In the Mozilla CSP spec, the presence of any Content-Security-Policy at all triggers blocking of JavaScript URL. I think it would make more sense to trigger blocking of JavaScript URLs on the script-src directive (including the default-src directive, which implies a script-src). IMHO, the empty CSP policy (e.g., "") shouldn't have any effects. Technically, this isn't really a change from the Mozilla CSP spec because the Mozilla CSP spec used to require that all policies had a default-src (then called "allow"). This difference is only detectable now because default-src is optional. Thoughts? AdamReceived on Saturday, 19 February 2011 02:10:58 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 19 February 2011 02:11:00 GMT