W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

[Bug 16203] New: Nothing is said about what happens when default-src is omitted.

From: <bugzilla@jessica.w3.org>
Date: Fri, 02 Mar 2012 16:14:28 +0000
To: public-webappsec@w3.org
Message-ID: <bug-16203-4874@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=16203

           Summary: Nothing is said about what happens when default-src is
                    omitted.
           Product: WebAppsSec
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: CORS
        AssignedTo: annevk@opera.com
        ReportedBy: sixcorners+w3c@gmail.com
         QAContact: dave.null@w3.org
                CC: mike@w3.org, public-webappsec@w3.org


The section right at the beginning of part 4 says that you should specify
script-src and object-src, or you should specify default-src if you want to
prevent xss attacks implying default-src is optional. What happens if
default-src is left out?
Back at Mozilla it seems like it would have been the same as specifying 'none'
as the source list.
https://wiki.mozilla.org/Security/CSP/Specification#Policy_Language_and_Syntax

-- 
Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Received on Friday, 2 March 2012 16:14:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 2 March 2012 16:14:31 GMT