- From: Brian Smith <bsmith@mozilla.com>
- Date: Tue, 14 Jun 2011 12:24:20 -0700 (PDT)
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: public-web-security@w3.org, Adam Barth <w3c@adambarth.com>
Brandon Sterne wrote:
> Adam Barth wrote:
> > I'd lump them in with script-src. The problem is that they're
> > somewhat obscure and authors aren't going to understand the security
> > implications. If you and I didn't get it right the first time, what
> > chance do author's have?
>
> Okay, this sounds fine. Giorio seems to agree. I'll wait to see if
> there are objections, otherwise I'll make this change. It is troubling
> that some of these technologies are so poorly understood, even by us
> "experts".
+1. Yesterday, Brandon and I discussed an extension to the object-src syntax to allow it to be refined by mime type:
object-src [application/x-shockwave-flash] flashsite.org
[application/x-java-applet] javasite.org
script-src could be done the same way:
script-src [application/application/xslt+xml] xsltsite.org
[application/javascript] javascriptsite.org
- Brian
Received on Tuesday, 14 June 2011 19:24:47 UTC