W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: CSP 1.1: Behavior when presented with an invalid plugin-types directive?

From: Odin Hørthe Omdal <odinho@opera.com>
Date: Mon, 23 Jul 2012 16:32:52 +0200
To: public-webappsec@w3.org
Message-ID: <op.whwlc21h49xobu@odinho-fido.oslo.osa>
On Mon, 23 Jul 2012 07:28:46 +0200, Mike West <mkwst@google.com> wrote:

> I lean towards #2 as it seems less likely to leave a developer with the  
> mistaken impression that her directive is working the way she expects  
> (and tweaked the editor's draft to that effect over the weekend[2]).
>
> Still, the security risk of simply ignoring invalid items is probably  
> quite low, so expansion of the syntax might be a good reason to opt for  
> #1 instead.

I always like having a road open for expansion. Especially on something as  
expansible as mime types.

Ignoring invalid tokens wouldn't exclude printing out the error in the  
error console. With all the useful stuff that is turning up in that  
console these days, web developers gets more and more reasons to check it  
;-)

-- 
Odin Hørthe Omdal (Velmont/odinho) · Core, Opera Software, http://opera.com
Received on Monday, 23 July 2012 14:33:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 23 July 2012 14:33:29 GMT