On 4/6/09 11:36 PM, Daniel Veditz wrote: > "allow" is not mandatory, but if missing it's assumed to be "allow > none". If you explicitly specify the whitelisted hosts for each type of > load you might not need or want a global fallback which could only be > used to sneak through types you hadn't thought about. Future browser > features, for instance.
Not according to our proposed spec: https://wiki.mozilla.org/Security/CSP/Spec#Directives http://people.mozilla.org/~bsterne/content-security-policy/details.html#allow See comments from me and Sid from yesterday explaining why allow is required. I somewhat agree with the spirit of Dan's comment. If allow is not specified, then the _effect_ is to allow none, because the policy is invalid and CSP will fail closed. However, strictly speaking, we don't assume allow none if it isn't specified. We will treat that as invalid policy, logging an error, and not loading any of the content types. By falling back to "allow none" when invalid policy is sent, websites will know right away that their pages are broken because no content, other than textual elements will load. This is a more secure option than failing open and having websites potentially believe their users are protected. -Brandon _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
