- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Tue, 25 Jan 2011 12:31:15 -0800
- To: Adam Barth <w3c@adambarth.com>
- CC: Gervase Markham <gerv@mozilla.org>, Lucas Adamski <lucas@mozilla.com>, public-web-security@w3.org
(apologies for the premature send) On 01/25/2011 10:42 AM, Adam Barth wrote: > On Tue, Jan 25, 2011 at 8:48 AM, Steingruebl, Andy > <asteingruebl@paypal-inc.com> wrote: >> CSP isn't only useful for stopping XS either. It can be a policy enforcement for where scripts can come from. Just like it can control framing, which isn't really about XSS either. I think it would be a lot less useful if it didn't include those capabilities/functions, as those are some of my major initial use cases. > > IMHO, in the first iteration we should nail XSS and set up a > extensible policy framework that we can extend to address other > threats in the future. It doesn't make sense to me to pass over features that have value to potential implementors for the sake of getting something out there quickly. Future extensions to the model, while expected, will come with costs, so we should do our best to reduce the number of iterations. Let's deliver something quickly, but let's include as much as we think is useful, with justifiable levels of complexity, in the first iteration. Best, Brandon
Received on Tuesday, 25 January 2011 20:33:07 UTC