Re: [Content Security Policy] A more modular approach

On 01/02/11 18:47, Adam Barth wrote:
> The main risk with that approach is that default-src means something
> different in each implementation.  To be sure you're not breaking
> things, you need to test in every browser.  That said, I don't feel
> that strongly about it.

It does, but what needs to be clear is the message to web developers. 
And I think it can be clear:

"_Assume_ that everything not more specifically specified is covered by 

That is true whichever browser you are using.

> Yeah, the more I think about it, the more I think it makes sense to
> lump these together.  The distinctions are pretty subtle.  If we want
> to give authors more control over plug-ins, the ability to control
> which plugins are loaded seems more useful.

So you would be in favour of removing script-src and object-src and just 
having a code-src?


Received on Wednesday, 2 February 2011 09:38:10 UTC