The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 |
Newsgroups: mozilla.dev.security
From: Daniel Veditz <dved...@mozilla.com>
Date: Mon, 06 Apr 2009 23:36:02 -0700
Local: Tues, Apr 7 2009 2:36 am
Subject: Re: Content Security Policy - final call for comments
Gervase Markham wrote: "allow" is not mandatory, but if missing it's assumed to be "allow > - "but a declared (unexpanded) policy always has the "allow" directive." > I think you need to make it more clear that "allow" is mandatory. But > what was the logic behind making it so? Why not assume "allow *", which > is what browsers do in the absence of CSP anyway? none". If you explicitly specify the whitelisted hosts for each type of load you might not need or want a global fallback which could only be used to sneak through types you hadn't thought about. Future browser features, for instance. Maybe this does point out the need for some kind of version number in > - "policy-uri documents must be served with the MIME type Until we get CSP onto a standards track they'd probably want us to use a > text/content-security-policy to be valid" This probably needs an "x-" > until we've registered it, which we should do before deployment. It's > not a complex process, I hear. text/vnd.mozilla.something, and since we'd like other browsers to support this I vote we go for the "x-" for now. You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||