- From: Neil Matatall <neilm@twitter.com>
- Date: Wed, 9 Oct 2013 14:46:43 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I became quite unpopular when I "broke" a site because I didn't do any cross-browser testing. Shame on me on many levels :) This happened because the CSP did not set default-src/allow. Chrome appears to fallback to * where Firefox defaults to 'none'. I setup a BS test page to illustrate the differences: http://fathomless-taiga-4659.herokuapp.com/ Apologies if the site takes forever to load, it's absolutely overkill for this purpose. Firefox 26.02 will emit a warning message: > Content Security Policy: 'allow' or 'default-src' directive required but not present. Reverting to "default-src 'none'" Apologies if this is already defined in the spec, I didn't see anything but I also didn't re-read the entire thing (and in general always set the default-src anyhow). p.s. Thanks Garrett for pointing out the header was invalid in the first place, apologies for the snarky response ;) We weren't getting the flood of reports that you expected. Strange.
Received on Wednesday, 9 October 2013 21:47:11 UTC