Hi, Gerv. Thanks a lot for your comments. I'll address the comments that weren't already covered by Johnathan or Sid, both of whom I agree with.
On Apr 6, 3:56 am, Gervase Markham <g...@mozilla.org> wrote: > Are we expecting to see some or all of this in Firefox 3.5, or Firefox-next? Firefox-next. > - "but a declared (unexpanded) policy always has the "allow" directive." > I think you need to make it more clear that "allow" is mandatory. But > what was the logic behind making it so? Why not assume "allow *", which > is what browsers do in the absence of CSP anyway? Sid did address this one, but I want to be clear in the rationale. Once we see the Content Security Policy header (or meta tag), we want to force sites to be explicit about what they are allowing. Yes, "allow *" is the default browser behavior without CSP presently, but we want to avoid cases where sites assume the default behavior of CSP is more restrictive than it actually is. I could envision, for example, a site presuming that "allow none" or "allow self" was the default, and that additional policy could be specified from there. If a site really wants to "allow *", then we want them to explicitly state that. > And the other document > http://people.mozilla.org/~bsterne/content-security-policy/details.html: > > - "policy-uri documents must be served with the MIME type > text/content-security-policy to be valid" This probably needs an "x-" > until we've registered it, which we should do before deployment. It's > not a complex process, I hear. That sounds fair. I'll update the document with that change. > - "Hostname, including an optional leading wildcard, e.g. *.mozilla.org" > Does that include foo.bar.baz.mozilla.org? If so, we should say so > explicitly (in both docs). That's true too. I'll make the language more clear. Cheers, Brandon _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
