- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Tue, 08 Mar 2011 10:50:25 -0800
- To: Collin Jackson <collin.jackson@sv.cmu.edu>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>
On 03/08/2011 09:43 AM, Brandon Sterne wrote: > 1. As the document notes, there is still an unresolved issue over what > to do with an empty policy: a) most restrictive, or b) most permissive. > Mozilla felt that a) was preferable because it allows us to "fail > closed", something we tried to do consistently throughout the model. We > also wanted to "fail early and fail hard" so that it is obvious to the > developer that something has gone horribly wrong. When every image, > script and stylesheet fails to load in a resource it's fairly obvious :-) > > Can you make a case for why b) is preferable? Going back, I see you made a fairly compelling case for b) here: http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0098.html I'm torn myself. What do others think? -Brandon
Received on Tuesday, 8 March 2011 18:49:45 UTC