- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 18 Feb 2011 20:46:39 -0800
- To: public-web-security@w3.org
On 2/18/11 6:09 PM, Adam Barth wrote: > In the Mozilla CSP spec, the presence of any Content-Security-Policy > at all triggers blocking of JavaScript URL. Because it's a form of inline-script, and inline-scripts are blocked by the mere presence of CSP. Like inline-scripts, however, not everyone is ready to give them up so we added a hack^H^H^H^Hoverride that lets people turn them back on. The "script-src" directive isn't the best place for them because people rarely write "<script src=javascript:code>". Most often they appear as links, which aren't otherwise covered by the current CSP proposal. Maybe that argues that the javascript: override ought to be in the "options" directive alongside inline-scripts. Like inline-scripts we wanted the presence of a CSP to opt-in to a more rigorous web regime that outlawed such things > IMHO, the empty CSP policy (e.g., "") shouldn't have any effects. At what point do you disable inline-scripts then? If inline-scripts aren't disabled by default there isn't a whole lot of point to CSP in my opinion. -Dan Veditz
Received on Saturday, 19 February 2011 04:48:09 UTC