- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 31 May 2013 18:21:59 -0700
- To: Yehuda Katz <wycats@gmail.com>
- CC: public-webappsec@w3.org
Received on Saturday, 1 June 2013 01:22:30 UTC
On 5/31/2013 2:28 PM, Yehuda Katz wrote: > This is a reminder to Adam about a conversation we had. > > At present, default-src expands into a list of more granular directives. > It would be better if it was spec'ed as covering all network requests, > period. That was Mozilla's original intent, although the implementation is via specific code paths covered by one or another of the granular directives. There shouldn't be any loads triggered from web content that is not covered by one of the existing other directives, but should a vendor invent one between spec updates it should be covered by default-src (assuming it doesn't naturally fit in one of the existing categories). -Dan Veditz
Received on Saturday, 1 June 2013 01:22:30 UTC