W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Gervase Markham <gerv@mozilla.org>
Date: Fri, 28 Jan 2011 10:10:19 +0000
Message-ID: <4D42960B.4020402@mozilla.org>
To: Daniel Veditz <dveditz@mozilla.com>
CC: Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 27/01/11 18:35, Daniel Veditz wrote:
>> 2) Make it more granular but simply tie it to the relevant tag name.
>> So, we could have allow[img] = ..., allow[embed] = ..., etc. This is
>> more immediately extensible, and allows unrecognized rules to be
>> skipped more confidently.
>
> Attractive from an educational point of view, easy to understand.
> Your<xxx>  didn't load because you didn't add an allow[xxx] policy.
>
> I'd say "feature name" rather than "tag name". XHR isn't a tag, nor
> is font-face.

And once you do that, you basically have roughly what we have now, but 
with a slightly different syntax. (Now: <feature>-src; Then: 
allow[feature]). As soon as you move away from 1:1 tag matching, you 
will have the problem of deciding whether a new browser feature fits an 
existing value, or needs a new value.

IOW, I don't think allow[tag] works and I don't think allow[feature] is 
different to what we have now.

Gerv
Received on Friday, 28 January 2011 10:11:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 10:12:28 GMT