- From: Gervase Markham <gerv@mozilla.org>
- Date: Tue, 01 Feb 2011 09:45:41 +0000
- To: Adam Barth <w3c@adambarth.com>
- CC: Lucas Adamski <ladamski@mozilla.com>, public-web-security@w3.org
On 31/01/11 17:03, Adam Barth wrote: >> If you have a proposal for a policy syntax and mechanism which doesn't have >> this problem, let's hear it :-) > > The "minimal edit distance" proposal from CSP would be to let folks > use the "script-src" directive without using the "allow" directive. > For example, we could make the following a valid policy: > > Content-Security-Policy: script-src example.com > > We could then later decide that "allow" was a valid directive. Now, > I'm not sure that's the optimum path (and there are some details > w.r.t. plug-ins), but it at least plausibly proves the concept. In the current proposal, this is equivalent to: Content-Security-Policy: allow *; script-src example.com If you want to implement CSP, in the first instance, such that all "allow" values are treated as "*", i.e. you don't respect the restrictions anywhere except for script-src, I can't see a problem with that. Well, there's the problem that users of your browser won't be getting all the benefit of the policy the site has defined, but presumably you accept that :-) But there's no compatibility problem; you can start respecting them later if you want. The only difference between your proposal and ours is that because allow defaults to 'none', CSP as it stands would require 'allow <something>' on every policy, whereas yours does away with that. But I'm not seeing that as an enormous simplification. (We went backwards and forwards on whether allow should default to 'none' or *. I wish we'd written down the arguments on both sides. Perhaps Brandon or Lucas can remember some of them. If it defaulted to *, then our proposals would be equivalent.) Gerv
Received on Tuesday, 1 February 2011 09:46:18 UTC