W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: [Content Security Policy] Usability?

From: Terri Oda <terri@zone12.com>
Date: Thu, 03 Feb 2011 01:07:37 -0500
Message-ID: <4D4A4629.5000903@zone12.com>
To: public-web-security@w3.org
Aryeh Gregor wrote:
> I have no experience with usability study design, but your proposed
> study looks like it would take a couple of hours to do.  If we're just
> grabbing random acquaintances of ours, as opposed to paying people to
> take it, that's a bit much.
> 
> Also, I'm dubious about making the first step "read the spec" --
> that's not how real-world authors learn things.  Maybe it would make
> more sense to just give them an existing policy and ask them to make
> particular changes (with access to Google), since almost everyone
> learns stuff mostly by copy-paste.

I was also concerned about the length, but wasn't too sure what folk 
here would consider a fair test.  However, you bring up a good point: 
maybe it's a much fairer test to put say, a half hour limit on it, and 
see what people can come up with given access to links to the 
documentation, access to google, and the site they're supposed to be 
securing?  It'd certainly be an easier study to run, and might reflect 
the sort of time pressures one would expect to see on actual developers 
(who I'm guessing are most likely to get interested in CSP when 
something blows up and they have to "fix it now")

  Terri
Received on Thursday, 3 February 2011 06:08:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 3 February 2011 06:08:08 GMT