On 03/13/2010 06:13 AM, Nick Kralevich wrote: > I'm not sure if this clarifies things.... > > 1) There are now two ways to specify an "inherited-scheme / any port" > policy, "*" and "*:*". Having two ways to express the same concept may > lead to more confusion, not less.
Sid addressed the overloading of "*" issue in his reply, but personally I don't see this as a source of confusion. If other people disagree, speak up. > 2) This is inconsistent with other host wildcard handling. For example, > "*.google.com" means "inherited-scheme / google host > / *default* port" whereas "*" means "inherited scheme / any host / *any* > port". > > Instead of making a change to the formal specification, it may make > sense to change all occurrences of "allow *" in the document to "allow > *:*". I still like the shorthand value of "*" being equivalent to "*:*", but that's just one guy's opinion. > > 2) How does one specify a wildcard for any protocol? > > I don't think we should allow that. Do you have a reason to believe we > should? > > IMHO, any policy language needs to cover the entire range of policies, > from completely *permissive* to completely *preventative*. > > The CSP has completely preventative down. It can be written as: > > X-Content-Security-Policy: allow 'none'; > > It seems like the only way to write a completely permissive policy is to > explicitly list out all possible schemes, which is awkward (IMHO). All kidding aside, the completely permissive policy is the one you don't send. I don't really see the value of complicating the spec in order to satisfy the requirement of a full permission spectrum. -Brandon _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
