- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Sun, 30 Jan 2011 15:21:47 -0500
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: gaz Heyes <gazheyes@gmail.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On Sat, Jan 29, 2011 at 10:14 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > Think of "allow" as "default-src": it provides the value for any > missing directive. Your policy has an explicit img-src and > script-src so those are what will be used for those types (and you > did not specify 'self' for those so you won't be able to load > scripts from your own site). Any other type of content (stylesheets, > plugins, etc) will be limited to 'self'. Perhaps "allow" should be renamed to "default-src"? It seems significantly more intuitive.
Received on Sunday, 30 January 2011 20:22:40 UTC