Sid Stamm wrote: >> Also, the “blocked-headers” is defined as required, but not all >> schemes (specifically, FTP and FILE) do not use headers. > Removed the requirement to send "request-headers" from the XML schema > (implied optional).
Just jumping off here on a related topic: What do we send as the "blocked-uri" when we find inline script? Since this is perhaps the most common injection type this would be a good one for an example. I suppose we could leave blocked-uri empty and let people infer that it was inline script from the violated directive. I'd rather be explicit about it, but then "blocked-uri" might be the wrong name. Or do we leave the blocked-uri empty (absent, or present-but-empty?) and use a keyword like <violated-directive>inline script</violated-directive> For clarification, if the entire policy was "allow self othersite.com" and we tried to load an image in violation of that policy, would the violated-directive be the implied img-src or the allow fall-back that is actually specified? I imagine it would be the allow directive. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security