- From: Odin Hørthe Omdal <odinho@opera.com>
- Date: Mon, 15 Oct 2012 16:22:37 +0200
- To: public-webappsec@w3.org, "Adam Barth" <w3c@adambarth.com>
- Cc: "Mike West" <mkwst@chromium.org>
On Wed, 29 Aug 2012 01:49:16 +0200, Adam Barth <w3c@adambarth.com> wrote: > The one wrinkle in this plan is the handling of path restrictions in > source lists. This is one area where CSP 1.1 changes the semantics of > a CSP 1.0 directive. I was thinking we might enforce path > restrictions for both Content-Security-Policy and the X-WebKit-CSP. > There are two reasons why this seems like a good idea: > > 1) We can always loosen these restrictions later without breaking > content (e.g., if CSP 1.1 drops path restrictions). > > 2) Enforcing these restrictions from the beginning lessens the chance > that we'll break content by adding them later when CSP 1.1 advances to > CR. Hm, I thought I yay'ed this but can't see my reply. Anyway, I think doing strict path checking as early as possible is smart and support it, yay :-) -- Odin Hørthe Omdal (Velmont/odinho) · Core, Opera Software, http://opera.com
Received on Monday, 15 October 2012 14:23:11 UTC