W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: No Recognized Directives problem

From: Brandon Sterne <bsterne@mozilla.com>
Date: Mon, 28 Mar 2011 13:36:37 -0700
Message-ID: <4D90F155.9000403@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
On 03/27/2011 05:10 PM, Adam Barth wrote:
> https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
> says:
> 
> [[
> When a user-agent receives a policy that contains no directives
> recognized by the user-agent, the user-agent MUST discard the entire
> policy and enforce a policy of default-src 'none' on the protected
> resource. User-agents SHOULD report a warning message to the error
> console communicating that an invalid policy was received.
> ]]
> 
> That seems like a bad idea.  What happens when we invent some
> directive in the future that is more popular that any of our current
> directives?  Sites won't be able to use the new directive alone
> because down-rev browsers will break their site by turning off all
> resource loads!
> 
> Adam

I agree with this proposed change, which specifically addresses the case
of "some, but no recognized directives" by failing open for the reasons
you describe.  There are still, however, unresolved and non-trivial
issues with how to handle "default" policies in various cases.  I have
most of a post covering those issues drafted and will share that with
the list sometime hopefully soon.

I'm making a note to fix this particular issue in the draft right away.

Cheers,
Brandon
Received on Monday, 28 March 2011 20:34:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 28 March 2011 20:34:34 GMT