- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 26 Jul 2011 16:56:29 -0700
- To: nickgearls@gmail.com
- CC: public-web-security@w3.org
On 7/26/11 3:27 AM, Nick Gearls wrote: > 1. Whatever you want, you may use only one header. > Whether you want to restrict or to relax a rule in a sub-location, > don't bother to try to add a header (or even a directive inside the > header), it does not work. Web developers will certainly want a way to specify a default site rule and then allow for spot relaxation/tightening, but unfortunately that kind of thing will have to be built into site frameworks. If we allow an additional header to relax a rule then any header-injection flaw means an attacker can add "default-src *; options inline-script;" thereby disabling any CSP protection. We also wanted to err on the side of being too strict. We can always loosen the behavior in the future and keep today's strict policies working. If we started out too loose and had to make things more strict we'd end up breaking most of our early adopters. Thanks for your courage trying out CSP at such an early time and your feedback is much appreciated! -Dan Veditz
Received on Tuesday, 26 July 2011 23:57:06 UTC