- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 10 Oct 2013 08:22:53 -0700
- To: Neil Matatall <neilm@twitter.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Thursday, 10 October 2013 15:23:22 UTC
On 10/9/2013 4:25 PM, Neil Matatall wrote: > Ian pointed out that this only happens with the X- header on Firefox. > However, it still appears to be undefined in the spec. Mozilla's original view was that by failing hard people was safer than failing open-- how do we know the site meant "default-src *" rather than "default-src 'self'"? Breaking the site entirely was likely to be caught early in testing, while breaking in the permissive direction may not. That philosophy was not shared by this group :-) The specified behavior does have the advantage of extensibility. In particular it allows IE to support only CSP sandbox without Firefox choking on sites that set only that directive. Please don't use the X-content-security-policy header anymore. Any Firefox users on a build that doesn't support the standard header has bigger security worries than using your site unprotected. If your site is secure enough for IE users they'll be fine. -Dan Veditz
Received on Thursday, 10 October 2013 15:23:22 UTC