W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

RE: New proposed charter and chairs for WebAppSec WG

From: Steingruebl, Andy <asteingruebl@paypal-inc.com>
Date: Tue, 7 Jun 2011 10:12:04 -0600
To: Brandon Sterne <bsterne@mozilla.com>, "Hill, Brad" <bhill@paypal-inc.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEB7A1AE428@DEN-MEXMS-001.corp.ebay.com>
> -----Original Message-----
> From: public-web-security-request@w3.org [mailto:public-web-security-
> request@w3.org] On Behalf Of Brandon Sterne


> No, my personal preference is to leave out a global policy mechanism for the
> sake of keeping CSP simpler, but I definitely wouldn't and couldn't declare
> the issue settled or out of scope.  If people feel strongly that such a
> mechanism should be added to CSP then I would suggest they make the case
> on the list.  Adding it to the charter as you have it does, though, seem to
> remove some opportunity for the counter position to be taken.

>From an application security auditing perspective, from an assurance perspective, "static" artifacts that implement/indicate policy rather than having it tied to each URL/resource are significantly better.   Sort of like setting TLS (HTTPS) for my whole domain/site, not just for a single URL. 

For me, critically important we build these policy mechanisms with ability to scope a whole "origin".

- Andy
Received on Tuesday, 7 June 2011 16:12:46 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC