W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: Unofficial Draft of Content Security Policy

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 10 Mar 2011 13:44:29 +0100
To: "Brandon Sterne" <bsterne@mozilla.com>, "Adam Barth" <w3c@adambarth.com>
Cc: "Collin Jackson" <collin.jackson@sv.cmu.edu>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <op.vr4ocfsp64w2qv@anne-van-kesterens-macbook-pro.local>
On Tue, 08 Mar 2011 20:11:35 +0100, Adam Barth <w3c@adambarth.com> wrote:
> We're going to be more successful getting folks to use CSP for new
> kinds of policies in the future if CSP has less intrinsic baggage.
> For example, Anne's From-Origin HTTP header should be a CSP directive
> not yet-another-HTTP-header, but he's not going to like any coupling
> between From-Origin and how inline event handlers behave.

Yeah that would be weird. I'm still a bit unsure as to whether putting all  
these policies in the same header makes sense. They are orthogonal issues.  
It feels very similar to the <object> disaster. Some kind of framework  
element that can handle a ton of things, but is not very good at any of  

Anne van Kesteren
Received on Thursday, 10 March 2011 12:45:12 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC