W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

[Bug 16203] New: Nothing is said about what happens when default-src is omitted.

From: <bugzilla@jessica.w3.org>
Date: Fri, 02 Mar 2012 16:14:28 +0000
To: public-webappsec@w3.org
Message-ID: <bug-16203-4874@http.www.w3.org/Bugs/Public/>

           Summary: Nothing is said about what happens when default-src is
           Product: WebAppsSec
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: CORS
        AssignedTo: annevk@opera.com
        ReportedBy: sixcorners+w3c@gmail.com
         QAContact: dave.null@w3.org
                CC: mike@w3.org, public-webappsec@w3.org

The section right at the beginning of part 4 says that you should specify
script-src and object-src, or you should specify default-src if you want to
prevent xss attacks implying default-src is optional. What happens if
default-src is left out?
Back at Mozilla it seems like it would have been the same as specifying 'none'
as the source list.

Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Received on Friday, 2 March 2012 16:14:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:27 UTC