W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: [CSP][SRI] block-non-sri-resources: * or no *?

From: Francois Marier <francois@mozilla.com>
Date: Thu, 31 Mar 2016 16:22:12 -0700
To: public-webappsec@w3.org
Message-ID: <56FDB124.6030605@mozilla.com>
On 31/03/16 03:18 PM, Neil Matatall wrote:
> 1. Using `*` in this context is similar to using `default-src 'none'`:
> you're committing to full coverage and dealing with the breakage.

Note that in CSP Level 2 where form-action and form-ancestors were
introduced, that breakage was presumably deemed unacceptable and so both
of these directives are unaffected by "default-src 'none'":

  https://www.w3.org/TR/CSP2/#directive-form-action
  https://www.w3.org/TR/CSP2/#directive-frame-ancestors

Francois
Received on Thursday, 31 March 2016 23:22:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC