W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2016

Re: [CSP][SRI] block-non-sri-resources: * or no *?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 31 Mar 2016 17:05:18 -0700
Message-ID: <CADYDTCCK4XQexO3UcJ8SDGHdkG4KKfO2o09FfeSRdJ3V+XDU7Q@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I don't remember the rationale behind form-action without looking it up but
I suspect it was rather more the fact that default-src doesn't block
navigations. Submitting forms is more like navigating than loading
resources into a document.

Breakage definitely was not the rationale behind frame-ancestors. That
directive describes the embedding context (like the sandbox directive) and
has nothing to do with resources loaded by that document. So far we've
worked to give directives "-src" names if they're going to be controlled by
default-src.

-Dan Veditz
Received on Friday, 1 April 2016 00:05:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:19 UTC