W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: Unofficial Draft of Content Security Policy

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 08 Mar 2011 09:43:54 -0800
Message-ID: <4D766ADA.9060309@mozilla.com>
To: Collin Jackson <collin.jackson@sv.cmu.edu>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
On 03/06/2011 10:14 PM, Collin Jackson wrote:
> In Section 3.2, I don't think an empty policy should be a processing
> error (it should just be ignored), but if you do want to consider it an
> error, then I think the safest and most reasonable thing to do is not to
> render the document at all.

Hey Collin,

So, two points to respond to this:

1. As the document notes, there is still an unresolved issue over what
to do with an empty policy: a) most restrictive, or b) most permissive.
 Mozilla felt that a) was preferable because it allows us to "fail
closed", something we tried to do consistently throughout the model.  We
also wanted to "fail early and fail hard" so that it is obvious to the
developer that something has gone horribly wrong.  When every image,
script and stylesheet fails to load in a resource it's fairly obvious :-)

Can you make a case for why b) is preferable?

2. Do you think rendering a blank page is better than rendering a
"default-src 'none'" page?.  I'm not sure either actually directly
conveys the message that "something has gone wrong with CSP", but the
plain-HTML page with no images, etc. seems to convey slightly more.

I'm not opposed to what you are suggesting, only trying to understand
the position a bit better.

Cheers,
Brandon
Received on Tuesday, 8 March 2011 17:43:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 March 2011 17:43:17 GMT