- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Mon, 28 Mar 2011 13:36:37 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-web-security@w3.org
On 03/27/2011 05:10 PM, Adam Barth wrote: > https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html > says: > > [[ > When a user-agent receives a policy that contains no directives > recognized by the user-agent, the user-agent MUST discard the entire > policy and enforce a policy of default-src 'none' on the protected > resource. User-agents SHOULD report a warning message to the error > console communicating that an invalid policy was received. > ]] > > That seems like a bad idea. What happens when we invent some > directive in the future that is more popular that any of our current > directives? Sites won't be able to use the new directive alone > because down-rev browsers will break their site by turning off all > resource loads! > > Adam I agree with this proposed change, which specifically addresses the case of "some, but no recognized directives" by failing open for the reasons you describe. There are still, however, unresolved and non-trivial issues with how to handle "default" policies in various cases. I have most of a post covering those issues drafted and will share that with the list sometime hopefully soon. I'm making a note to fix this particular issue in the draft right away. Cheers, Brandon
Received on Monday, 28 March 2011 20:34:33 UTC