Re: script-src requirements from Brandon Sterne on 2011-06-08 (public-web-security@w3.org from June 2011)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 07 Jun 2011 17:13:06 -0700
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
Message-ID: <4DEEBE92.6090402@mozilla.com>

On 03/28/2011 01:24 PM, Brandon Sterne wrote:
> On 03/27/2011 04:48 PM, Adam Barth wrote:
>> IMHO, we should phrase the resource-loading requirements for CSP in
>> terms of HTML5's "fetch" apparatus:
>>
>> http://www.whatwg.org/specs/web-apps/current-work/#fetching-resources
>>
>> For example, that's how CORS specifies how to handle cross-origin
>> XMLHttpRequests:
>>
>> http://www.w3.org/TR/access-control/
> 
> This is a good suggestion.  I've created a TODO item in my personal
> issue tracker and should be able to address this in the next week or so.

Well, that turned out to be significantly more than a "week or so", but
I completed this change nevertheless:

https://dvcs.w3.org/hg/content-security-policy/rev/4ccc87cc3a37
https://dvcs.w3.org/hg/content-security-policy/rev/190ae9b27a24

I hope the new verbiage is clearer.  Let me know if it's not.

Best,
Brandon

Received on Wednesday, 8 June 2011 00:13:21 UTC