- From: <bugzilla@jessica.w3.org>
- Date: Fri, 02 Mar 2012 16:14:28 +0000
- To: public-webappsec@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=16203 Summary: Nothing is said about what happens when default-src is omitted. Product: WebAppsSec Version: unspecified Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: CORS AssignedTo: annevk@opera.com ReportedBy: sixcorners+w3c@gmail.com QAContact: dave.null@w3.org CC: mike@w3.org, public-webappsec@w3.org The section right at the beginning of part 4 says that you should specify script-src and object-src, or you should specify default-src if you want to prevent xss attacks implying default-src is optional. What happens if default-src is left out? Back at Mozilla it seems like it would have been the same as specifying 'none' as the source list. https://wiki.mozilla.org/Security/CSP/Specification#Policy_Language_and_Syntax -- Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Received on Friday, 2 March 2012 16:14:31 UTC