W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: Unofficial Draft of Content Security Policy

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 08 Mar 2011 10:50:25 -0800
Message-ID: <4D767A71.9000202@mozilla.com>
To: Collin Jackson <collin.jackson@sv.cmu.edu>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
On 03/08/2011 09:43 AM, Brandon Sterne wrote:
> 1. As the document notes, there is still an unresolved issue over what
> to do with an empty policy: a) most restrictive, or b) most permissive.
>  Mozilla felt that a) was preferable because it allows us to "fail
> closed", something we tried to do consistently throughout the model.  We
> also wanted to "fail early and fail hard" so that it is obvious to the
> developer that something has gone horribly wrong.  When every image,
> script and stylesheet fails to load in a resource it's fairly obvious :-)
> 
> Can you make a case for why b) is preferable?

Going back, I see you made a fairly compelling case for b) here:
http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0098.html

I'm torn myself.  What do others think?

-Brandon
Received on Tuesday, 8 March 2011 18:49:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 March 2011 18:49:46 GMT