- From: Neil Matatall <oreoshake@github.com>
- Date: Thu, 31 Mar 2016 12:18:05 -1000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
During the last teleconference [1], we discussed the future of using `*` as a source expression in a `block-non-sri-resources` context. Whether this lands as part of CSP, in a separate header, etc. we should decide if `*` is allowed as a value. ## Arguments for: 1. Using `*` in this context is similar to using `default-src 'none'`: you're committing to full coverage and dealing with the breakage. 2. `*` is shorter than 'script' 'style' 'images' 'audio' 'video' 'etc'. As more subresources get integrity attributes, this list might get long. This introduces a small amount of header bloat. Differing implementation rates might cause confusion over what `*` means. ## Arguments against: 1. The meaning of `*` is going to change and that's bad. 2. As user agents implement support for more subresources, apps will break likely without warning. 3. Things like changing the meaning of `*` and breaking things are bad for CSP adoption. 4. There was an assumption most people will implement `*` as it is today, so they will undoubtedly run into #3. The consensus was against using *, but that we should reach out to the broader community for any other arguments *for* using `*` or if people would still want `*`. You can also comment on the pull request [2] and help clean up that mess. [1] https://lists.w3.org/Archives/Public/public-webappsec/2016Mar/att-0077/webappsec.txt [2] https://github.com/w3c/webappsec-csp/pull/64
Received on Thursday, 31 March 2016 22:18:36 UTC