W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Sun, 30 Jan 2011 15:21:47 -0500
Message-ID: <AANLkTi=VrCekcQ7y+LLqUxgJ=guWX0ikQi5NSPaDLq8q@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: gaz Heyes <gazheyes@gmail.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On Sat, Jan 29, 2011 at 10:14 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> Think of "allow" as "default-src": it provides the value for any
> missing directive. Your policy has an explicit img-src and
> script-src so those are what will be used for those types (and you
> did not specify 'self' for those so you won't be able to load
> scripts from your own site). Any other type of content (stylesheets,
> plugins, etc) will be limited to 'self'.

Perhaps "allow" should be renamed to "default-src"?  It seems
significantly more intuitive.
Received on Sunday, 30 January 2011 20:22:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 30 January 2011 20:22:40 GMT