- From: Adam Barth <w3c@adambarth.com>
- Date: Sun, 27 Mar 2011 17:10:12 -0700
- To: public-web-security@w3.org
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html says: [[ When a user-agent receives a policy that contains no directives recognized by the user-agent, the user-agent MUST discard the entire policy and enforce a policy of default-src 'none' on the protected resource. User-agents SHOULD report a warning message to the error console communicating that an invalid policy was received. ]] That seems like a bad idea. What happens when we invent some directive in the future that is more popular that any of our current directives? Sites won't be able to use the new directive alone because down-rev browsers will break their site by turning off all resource loads! Adam
Received on Monday, 28 March 2011 00:11:16 UTC