- From: Steingruebl, Andy <asteingruebl@paypal-inc.com>
- Date: Tue, 7 Jun 2011 10:12:04 -0600
- To: Brandon Sterne <bsterne@mozilla.com>, "Hill, Brad" <bhill@paypal-inc.com>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>
> -----Original Message----- > From: public-web-security-request@w3.org [mailto:public-web-security- > request@w3.org] On Behalf Of Brandon Sterne > No, my personal preference is to leave out a global policy mechanism for the > sake of keeping CSP simpler, but I definitely wouldn't and couldn't declare > the issue settled or out of scope. If people feel strongly that such a > mechanism should be added to CSP then I would suggest they make the case > on the list. Adding it to the charter as you have it does, though, seem to > remove some opportunity for the counter position to be taken. >From an application security auditing perspective, from an assurance perspective, "static" artifacts that implement/indicate policy rather than having it tied to each URL/resource are significantly better. Sort of like setting TLS (HTTPS) for my whole domain/site, not just for a single URL. For me, critically important we build these policy mechanisms with ability to scope a whole "origin". - Andy
Received on Tuesday, 7 June 2011 16:12:46 UTC