W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

some CSP features on by default or not ? (was: Re: CSP Directive Proposal: Sandbox)

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Fri, 25 Feb 2011 13:43:22 -0800
Message-ID: <4D68227A.3080202@KingsMountain.com>
To: W3C Web Security Interest Group <public-web-security@w3.org>
AdamB said on Wed, 23 Feb 2011 21:18:26 -0800
 >
 > On Wed, Feb 23, 2011 at 5:18 PM, Brandon Sterne <bsterne@mozilla.com> wrote:
 >
 >> I see your comments suggesting this change and Collin's supporting them.
 >>  I don't see how you got from there to "this group".  I'm not saying the
 >> suggested change is without merit, but there is a case to be made
 >> against it which Dan brought up.  I think the debate is still open.
 >
 > Fair enough.  Perhaps we should continue the discussion in the other thread.

The other thread, and the four relevant msgs therein, are...

Re: JavaScript URLs and script-src nit
http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0096.html
http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0097.html
http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0098.html
http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0113.html


..tho retitling it (or just carrying over into this thread) may be a good idea.

HTH,

=JeffH

 >> On 02/22/2011 07:41 PM, Adam Barth wrote:
 >>>
 >>> Oh, I meant this group.
 >>>
 >>> Adam
 >>>
 >>>
 >>> On Tue, Feb 22, 2011 at 6:24 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
 >>>
 >>>> I haven't seen any consensus forming on that, maybe Adam's "we"
 >>>> means webkit.
 >>>>
 >>>> On 2/22/11 1:31 AM, sird@rckc.at wrote:
 >>>>
 >>>>> Oh, I wasn't aware that the "default-do-noting" was really happening.
 >>>>>
 >>>>> -- Eduardo
 >>>>>
 >>>>> On Tue, Feb 22, 2011 at 1:16 AM, Adam Barth <w3c@adambarth.com> wrote:
 >>>>>
 >>>>>> I don't think the situation is as tricky as you make it out to be,
 >>>>>> especially if we go the route of an empty CSP policy not implying
 >>>>>> inline script restrictions, which seems likely.
 >>>>>>
 >>>>>> Adam
Received on Friday, 25 February 2011 21:43:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 February 2011 21:43:56 GMT