W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: Behavior when default-src is missing from a CSP

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 10 Oct 2013 08:22:53 -0700
Message-ID: <5256C64D.4010501@mozilla.com>
To: Neil Matatall <neilm@twitter.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 10/9/2013 4:25 PM, Neil Matatall wrote:
> Ian pointed out that this only happens with the X- header on Firefox.
> However, it still appears to be undefined in the spec.

Mozilla's original view was that by failing hard people was safer than
failing open-- how do we know the site meant "default-src *" rather than
"default-src 'self'"? Breaking the site entirely was likely to be caught
early in testing, while breaking in the permissive direction may not.

That philosophy was not shared by this group :-)

The specified behavior does have the advantage of extensibility. In
particular it allows IE to support only CSP sandbox without Firefox
choking on sites that set only that directive.

Please don't use the X-content-security-policy header anymore. Any
Firefox users on a build that doesn't support the standard header has
bigger security worries than using your site unprotected. If your site
is secure enough for IE users they'll be fine.

-Dan Veditz



Received on Thursday, 10 October 2013 15:23:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC