- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Sat, 22 Jan 2011 02:36:50 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- CC: Gervase Markham <gerv@mozilla.org>, Michal Zalewski <lcamtuf@coredump.cx>, gaz Heyes <gazheyes@gmail.com>, Giorgio Maone <g.maone@informaction.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
On 1/22/11 12:59 AM, Devdatta Akhawe wrote: >> If the CSP policy disables all script, how will the script run which detects >> the event of a policy violation and reports it? > > Don't do that :). I mean, that is a problem with Adam's original proposal too. There are cases where complete script disabling might be appropriate, why not? We do that in the Firefox UI in a couple of places, and whoever invented the HTML 5 <iframe> sandbox attribute thought it was useful.
Received on Saturday, 22 January 2011 10:37:31 UTC