W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

No Recognized Directives problem

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 27 Mar 2011 17:10:12 -0700
Message-ID: <AANLkTikQhEARh_vowavgtFvpC9w+k-RpBy=0Ts7Tu2M9@mail.gmail.com>
To: public-web-security@w3.org
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
says:

[[
When a user-agent receives a policy that contains no directives
recognized by the user-agent, the user-agent MUST discard the entire
policy and enforce a policy of default-src 'none' on the protected
resource. User-agents SHOULD report a warning message to the error
console communicating that an invalid policy was received.
]]

That seems like a bad idea.  What happens when we invent some
directive in the future that is more popular that any of our current
directives?  Sites won't be able to use the new directive alone
because down-rev browsers will break their site by turning off all
resource loads!

Adam
Received on Monday, 28 March 2011 00:11:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 28 March 2011 00:11:16 GMT