W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: CSP 1.1: Behavior when presented with an invalid plugin-types directive?

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 23 Jul 2012 14:07:04 -0700
Message-ID: <CAJE5ia-3OtspvkR8upPv=x-cLATxp00Tvf564QNugXQhGGwDSg@mail.gmail.com>
To: Odin HÝrthe Omdal <odinho@opera.com>
Cc: public-webappsec@w3.org
On Mon, Jul 23, 2012 at 7:32 AM, Odin HÝrthe Omdal <odinho@opera.com> wrote:
> On Mon, 23 Jul 2012 07:28:46 +0200, Mike West <mkwst@google.com> wrote:
>> I lean towards #2 as it seems less likely to leave a developer with the
>> mistaken impression that her directive is working the way she expects (and
>> tweaked the editor's draft to that effect over the weekend[2]).
>>
>> Still, the security risk of simply ignoring invalid items is probably
>> quite low, so expansion of the syntax might be a good reason to opt for #1
>> instead.
>
> I always like having a road open for expansion. Especially on something as
> expansible as mime types.
>
> Ignoring invalid tokens wouldn't exclude printing out the error in the error
> console. With all the useful stuff that is turning up in that console these
> days, web developers gets more and more reasons to check it ;-)

Yeah, that makes sense to me.  The situation is different with
script-nonce, which we expect folks to generate programmatically.

Adam
Received on Monday, 23 July 2012 21:08:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 23 July 2012 21:08:05 GMT