- From: Francois Marier <francois@mozilla.com>
- Date: Thu, 31 Mar 2016 16:22:12 -0700
- To: public-webappsec@w3.org
On 31/03/16 03:18 PM, Neil Matatall wrote: > 1. Using `*` in this context is similar to using `default-src 'none'`: > you're committing to full coverage and dealing with the breakage. Note that in CSP Level 2 where form-action and form-ancestors were introduced, that breakage was presumably deemed unacceptable and so both of these directives are unaffected by "default-src 'none'": https://www.w3.org/TR/CSP2/#directive-form-action https://www.w3.org/TR/CSP2/#directive-frame-ancestors Francois
Received on Thursday, 31 March 2016 23:22:41 UTC