W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Gervase Markham <gerv@mozilla.org>
Date: Mon, 31 Jan 2011 09:34:25 +0000
Message-ID: <4D468221.2010608@mozilla.org>
To: public-web-security@w3.org
On 29/01/11 09:11, gaz Heyes wrote:
> Ok grrrr I know how to set HTTP header but the syntax is confusing for
> example:-
> header("X-Content-Security-Policy: allow 'self'; img-src
> www.gmodules.com <http://www.gmodules.com>; script-src
> *.businessinfo.co.uk <http://businessinfo.co.uk>;");
>
> In particular the semi colon, it seems to indicate next statement yet
> how are they related to the "allow" statement. They don't seem to be
> grouped in any way, quoted string is confusing why do we need it for
> allow when we have protocols? I assume it means allow self for img-src
> and script-src but how do I know I'm right?

This is a reasonable point. The name "allow" doesn't make it all that 
clear that it's the 'global' or 'fallback' declaration. Possible 
alternatives:

default-src
default-src-allow
general-src
everything-else-src
anything-not-specified-more-specifically-src

Gerv
Received on Monday, 31 January 2011 09:35:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 31 January 2011 09:35:01 GMT