W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: Using CSP

From: Brandon Sterne <bsterne@mozilla.com>
Date: Wed, 20 Jul 2011 16:49:29 -0700
Message-ID: <4E276989.9080007@mozilla.com>
To: Mark Nottingham <mnot@mnot.net>
CC: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
On 07/19/2011 11:14 PM, Mark Nottingham wrote:
>> The "options" syntax got removed at some point.  I think Brandon is
>> updating the Firefox implementation to the new syntax.
> 
> Hmm. If the syntax is still evolving in non-backwards-compatible ways, it might be better to use a nonsense or generated header name, and revise it on each bump, so that sites that experiment with CSP don't have problems with supporting multiple incompatible deployed protocols.

I've still been assuming that we are pre-version 1 of the spec and would
adopt changes in this fashion in any subsequent versions of CSP that we
ship.  To your point, though, the Gecko implementation will support both
syntaxes, at least for some reasonable period of time, so that we don't
screw over the people that experimented with CSP prior to version 1.

Thanks also for your earlier detailed feedback.  I have a few items
marked for follow-up, but I'll have to reply some time tomorrow.

Cheers,
Brandon
Received on Wednesday, 20 July 2011 23:49:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 July 2011 23:49:25 GMT