W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

[CSP][SRI] block-non-sri-resources: * or no *?

From: Neil Matatall <oreoshake@github.com>
Date: Thu, 31 Mar 2016 12:18:05 -1000
Message-ID: <CAASU7Q7+oxU7dnUymmeYs5X3=Y7t45VE3Dix+XvKm1vsB=VUjw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
During the last teleconference [1], we discussed the future of using
`*` as a source expression in a `block-non-sri-resources` context.
Whether this lands as part of CSP, in a separate header, etc. we
should decide if `*` is allowed as a value.

## Arguments for:

1. Using `*` in this context is similar to using `default-src 'none'`:
you're committing to full coverage and dealing with the breakage.
2. `*` is shorter than 'script' 'style' 'images' 'audio' 'video'
'etc'. As more subresources get integrity attributes, this list might
get long. This introduces a small amount of header bloat. Differing
implementation rates might cause confusion over what `*` means.

## Arguments against:

1. The meaning of `*` is going to change and that's bad.
2. As user agents implement support for more subresources, apps will
break likely without warning.
3. Things like changing the meaning of `*` and breaking things are bad
for CSP adoption.
4. There was an assumption most people will implement `*` as it is
today, so they will undoubtedly run into #3.

The consensus was against using *, but that we should reach out to the
broader community for any other arguments *for* using `*` or if people
would still want `*`.

You can also comment on the pull request [2] and help clean up that mess.

[1] https://lists.w3.org/Archives/Public/public-webappsec/2016Mar/att-0077/webappsec.txt
[2] https://github.com/w3c/webappsec-csp/pull/64
Received on Thursday, 31 March 2016 22:18:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC