Hi Nick, Thanks for the feedback!
On 3/12/10 1:39 PM, Nick Kralevich wrote: > *1) Is "allow" optional or required?* > > The allow specification (https://wiki.mozilla.org/Security/CSP/Spec#allow) > indicates that "allow" is an optional field. Quoting that section: > > If the allow directive is not explicitly specified, no content from any > source will be loaded. This is equivalent to the policy "allow 'none'". > > > However, earlier on that page ( > https://wiki.mozilla.org/Security/CSP/Spec#Policy_Language_and_Syntax) > there's the following: > > A policy is composed of directives with their corresponding values. Any > number of directives can be defined, but the *allow directive must always be > present*. Yes, this is unclear in the spec: reverting to "allow 'none'" is supposed to be a failure, and reported quietly to an error console. I'll clear it up. If the allow directive is not present, CSP fails closed. > *2) Is "allow 'none'" allowed?* > [...] > Suggestion: The formal policy syntax should be updated to indicate that allow > 'none' is allowed. Yes, this is a bug in the syntax. <source-list> should be <src-dir-value>. Thanks for the catch! -Sid _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
