W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

No Recognized Directives problem

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 27 Mar 2011 17:10:12 -0700
Message-ID: <AANLkTikQhEARh_vowavgtFvpC9w+k-RpBy=0Ts7Tu2M9@mail.gmail.com>
To: public-web-security@w3.org

When a user-agent receives a policy that contains no directives
recognized by the user-agent, the user-agent MUST discard the entire
policy and enforce a policy of default-src 'none' on the protected
resource. User-agents SHOULD report a warning message to the error
console communicating that an invalid policy was received.

That seems like a bad idea.  What happens when we invent some
directive in the future that is more popular that any of our current
directives?  Sites won't be able to use the new directive alone
because down-rev browsers will break their site by turning off all
resource loads!

Received on Monday, 28 March 2011 00:11:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC