- From: Neil Matatall <neilm@twitter.com>
- Date: Wed, 9 Oct 2013 16:25:22 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Ian pointed out that this only happens with the X- header on Firefox. However, it still appears to be undefined in the spec. On Wed, Oct 9, 2013 at 2:46 PM, Neil Matatall <neilm@twitter.com> wrote: > I became quite unpopular when I "broke" a site because I didn't do any > cross-browser testing. Shame on me on many levels :) > > This happened because the CSP did not set default-src/allow. Chrome > appears to fallback to * where Firefox defaults to 'none'. I setup a > BS test page to illustrate the differences: > http://fathomless-taiga-4659.herokuapp.com/ Apologies if the site > takes forever to load, it's absolutely overkill for this purpose. > > Firefox 26.02 will emit a warning message: > >> Content Security Policy: 'allow' or 'default-src' directive required but not present. Reverting to "default-src 'none'" > > Apologies if this is already defined in the spec, I didn't see > anything but I also didn't re-read the entire thing (and in general > always set the default-src anyhow). > > p.s. Thanks Garrett for pointing out the header was invalid in the > first place, apologies for the snarky response ;) We weren't getting > the flood of reports that you expected. Strange.
Received on Wednesday, 9 October 2013 23:25:50 UTC