W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: Unofficial Draft of Content Security Policy

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 8 Mar 2011 11:11:35 -0800
Message-ID: <AANLkTi=xv64L_TodCCEf3JX=MVFKadvsJtRSJdDHkMqK@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: Collin Jackson <collin.jackson@sv.cmu.edu>, "public-web-security@w3.org" <public-web-security@w3.org>
On Tue, Mar 8, 2011 at 10:50 AM, Brandon Sterne <bsterne@mozilla.com> wrote:
> On 03/08/2011 09:43 AM, Brandon Sterne wrote:
>> 1. As the document notes, there is still an unresolved issue over what
>> to do with an empty policy: a) most restrictive, or b) most permissive.
>>  Mozilla felt that a) was preferable because it allows us to "fail
>> closed", something we tried to do consistently throughout the model.  We
>> also wanted to "fail early and fail hard" so that it is obvious to the
>> developer that something has gone horribly wrong.  When every image,
>> script and stylesheet fails to load in a resource it's fairly obvious :-)
>>
>> Can you make a case for why b) is preferable?
>
> Going back, I see you made a fairly compelling case for b) here:
> http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0098.html
>
> I'm torn myself.  What do others think?

We're going to be more successful getting folks to use CSP for new
kinds of policies in the future if CSP has less intrinsic baggage.
For example, Anne's From-Origin HTTP header should be a CSP directive
not yet-another-HTTP-header, but he's not going to like any coupling
between From-Origin and how inline event handlers behave.

Adam
Received on Tuesday, 8 March 2011 19:12:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 March 2011 19:12:44 GMT