- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Tue, 01 Feb 2011 09:04:54 -0800
- To: Gervase Markham <gerv@mozilla.org>
- CC: Adam Barth <w3c@adambarth.com>, Lucas Adamski <ladamski@mozilla.com>, public-web-security@w3.org
On 02/01/2011 01:45 AM, Gervase Markham wrote: > The only difference between your proposal and ours is that because allow > defaults to 'none', CSP as it stands would require 'allow <something>' > on every policy, whereas yours does away with that. But I'm not seeing > that as an enormous simplification. > (We went backwards and forwards on whether allow should default to > 'none' or *. I wish we'd written down the arguments on both sides. > Perhaps Brandon or Lucas can remember some of them. If it defaulted to > *, then our proposals would be equivalent.) The case for a default policy of 'none' is that it is more secure, while the case for default * is that it's more compatible. In the thread I started yesterday, "[Content Security Policy] A more modular approach", I'm advocating switching to a default * policy (and making default-src optional) so we can reconcile the two models and move forward. -Brandon
Received on Tuesday, 1 February 2011 17:05:27 UTC