JavaScript URLs and script-src nit from Adam Barth on 2011-02-19 (public-web-security@w3.org from February 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 18 Feb 2011 18:09:55 -0800
To: public-web-security@w3.org
Message-ID: <AANLkTi=1PY-GfyXbKZx+OEiF=f2cVJmUAtAJgROm+vGi@mail.gmail.com>

In the Mozilla CSP spec, the presence of any Content-Security-Policy
at all triggers blocking of JavaScript URL.  I think it would make
more sense to trigger blocking of JavaScript URLs on the script-src
directive (including the default-src directive, which implies a
script-src).  IMHO, the empty CSP policy (e.g., "") shouldn't have any
effects.

Technically, this isn't really a change from the Mozilla CSP spec
because the Mozilla CSP spec used to require that all policies had a
default-src (then called "allow").  This difference is only detectable
now because default-src is optional.

Thoughts?
Adam

Received on Saturday, 19 February 2011 02:10:58 UTC