- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 23 Jul 2012 14:07:04 -0700
- To: Odin Hørthe Omdal <odinho@opera.com>
- Cc: public-webappsec@w3.org
On Mon, Jul 23, 2012 at 7:32 AM, Odin Hørthe Omdal <odinho@opera.com> wrote: > On Mon, 23 Jul 2012 07:28:46 +0200, Mike West <mkwst@google.com> wrote: >> I lean towards #2 as it seems less likely to leave a developer with the >> mistaken impression that her directive is working the way she expects (and >> tweaked the editor's draft to that effect over the weekend[2]). >> >> Still, the security risk of simply ignoring invalid items is probably >> quite low, so expansion of the syntax might be a good reason to opt for #1 >> instead. > > I always like having a road open for expansion. Especially on something as > expansible as mime types. > > Ignoring invalid tokens wouldn't exclude printing out the error in the error > console. With all the useful stuff that is turning up in that console these > days, web developers gets more and more reasons to check it ;-) Yeah, that makes sense to me. The situation is different with script-nonce, which we expect folks to generate programmatically. Adam
Received on Monday, 23 July 2012 21:08:04 UTC