W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: broadening default-src semantics

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 31 May 2013 18:21:59 -0700
Message-ID: <51A94CB7.5020304@mozilla.com>
To: Yehuda Katz <wycats@gmail.com>
CC: public-webappsec@w3.org
On 5/31/2013 2:28 PM, Yehuda Katz wrote:
> This is a reminder to Adam about a conversation we had.
>
> At present, default-src expands into a list of more granular directives.
> It would be better if it was spec'ed as covering all network requests,
> period.

That was Mozilla's original intent, although the implementation is via 
specific code paths covered by one or another of the granular 
directives. There shouldn't be any loads triggered from web content that 
is not covered by one of the existing other directives, but should a 
vendor invent one between spec updates it should be covered by 
default-src (assuming it doesn't naturally fit in one of the existing 
categories).

-Dan Veditz



Received on Saturday, 1 June 2013 01:22:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC