Re: [CSP][SRI] block-non-sri-resources: * or no *?

I don't remember the rationale behind form-action without looking it up but
I suspect it was rather more the fact that default-src doesn't block
navigations. Submitting forms is more like navigating than loading
resources into a document.

Breakage definitely was not the rationale behind frame-ancestors. That
directive describes the embedding context (like the sandbox directive) and
has nothing to do with resources loaded by that document. So far we've
worked to give directives "-src" names if they're going to be controlled by
default-src.

-Dan Veditz

Received on Friday, 1 April 2016 00:05:48 UTC