- From: Gervase Markham <gerv@mozilla.org>
- Date: Mon, 31 Jan 2011 09:34:25 +0000
- To: public-web-security@w3.org
On 29/01/11 09:11, gaz Heyes wrote:
> Ok grrrr I know how to set HTTP header but the syntax is confusing for
> example:-
> header("X-Content-Security-Policy: allow 'self'; img-src
> www.gmodules.com <http://www.gmodules.com>; script-src
> *.businessinfo.co.uk <http://businessinfo.co.uk>;");
>
> In particular the semi colon, it seems to indicate next statement yet
> how are they related to the "allow" statement. They don't seem to be
> grouped in any way, quoted string is confusing why do we need it for
> allow when we have protocols? I assume it means allow self for img-src
> and script-src but how do I know I'm right?
This is a reasonable point. The name "allow" doesn't make it all that
clear that it's the 'global' or 'fallback' declaration. Possible
alternatives:
default-src
default-src-allow
general-src
everything-else-src
anything-not-specified-more-specifically-src
Gerv
Received on Monday, 31 January 2011 09:35:01 UTC