- From: Gervase Markham <gerv@mozilla.org>
- Date: Wed, 02 Feb 2011 09:37:35 +0000
- To: Adam Barth <w3c@adambarth.com>
- CC: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 01/02/11 18:47, Adam Barth wrote: > The main risk with that approach is that default-src means something > different in each implementation. To be sure you're not breaking > things, you need to test in every browser. That said, I don't feel > that strongly about it. It does, but what needs to be clear is the message to web developers. And I think it can be clear: "_Assume_ that everything not more specifically specified is covered by default-src." That is true whichever browser you are using. > Yeah, the more I think about it, the more I think it makes sense to > lump these together. The distinctions are pretty subtle. If we want > to give authors more control over plug-ins, the ability to control > which plugins are loaded seems more useful. So you would be in favour of removing script-src and object-src and just having a code-src? Gerv
Received on Wednesday, 2 February 2011 09:38:10 UTC