- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 8 Mar 2011 11:11:35 -0800
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: Collin Jackson <collin.jackson@sv.cmu.edu>, "public-web-security@w3.org" <public-web-security@w3.org>
On Tue, Mar 8, 2011 at 10:50 AM, Brandon Sterne <bsterne@mozilla.com> wrote: > On 03/08/2011 09:43 AM, Brandon Sterne wrote: >> 1. As the document notes, there is still an unresolved issue over what >> to do with an empty policy: a) most restrictive, or b) most permissive. >> Mozilla felt that a) was preferable because it allows us to "fail >> closed", something we tried to do consistently throughout the model. We >> also wanted to "fail early and fail hard" so that it is obvious to the >> developer that something has gone horribly wrong. When every image, >> script and stylesheet fails to load in a resource it's fairly obvious :-) >> >> Can you make a case for why b) is preferable? > > Going back, I see you made a fairly compelling case for b) here: > http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0098.html > > I'm torn myself. What do others think? We're going to be more successful getting folks to use CSP for new kinds of policies in the future if CSP has less intrinsic baggage. For example, Anne's From-Origin HTTP header should be a CSP directive not yet-another-HTTP-header, but he's not going to like any coupling between From-Origin and how inline event handlers behave. Adam
Received on Tuesday, 8 March 2011 19:12:44 UTC