W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: Advice about unprefixing Content-Security-Policy in WebKit

From: Odin Hørthe Omdal <odinho@opera.com>
Date: Mon, 15 Oct 2012 16:22:37 +0200
To: public-webappsec@w3.org, "Adam Barth" <w3c@adambarth.com>
Cc: "Mike West" <mkwst@chromium.org>
Message-ID: <op.wl74vzzr49xobu@odinho-fido.oslo.osa>
On Wed, 29 Aug 2012 01:49:16 +0200, Adam Barth <w3c@adambarth.com> wrote:

> The one wrinkle in this plan is the handling of path restrictions in
> source lists.  This is one area where CSP 1.1 changes the semantics of
> a CSP 1.0 directive.  I was thinking we might enforce path
> restrictions for both Content-Security-Policy and the X-WebKit-CSP.
> There are two reasons why this seems like a good idea:
>
> 1) We can always loosen these restrictions later without breaking
> content (e.g., if CSP 1.1 drops path restrictions).
>
> 2) Enforcing these restrictions from the beginning lessens the chance
> that we'll break content by adding them later when CSP 1.1 advances to
> CR.

Hm, I thought I yay'ed this but can't see my reply.

Anyway, I think doing strict path checking as early as possible is smart  
and support it, yay :-)

-- 
Odin Hørthe Omdal (Velmont/odinho) · Core, Opera Software, http://opera.com
Received on Monday, 15 October 2012 14:23:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 15 October 2012 14:23:11 GMT