W3C home > Mailing lists > Public > public-web-security@w3.org > November 2012

Re: CSP 1.1 DOM design

From: Alex Russell <slightlyoff@google.com>
Date: Mon, 5 Nov 2012 10:32:38 +0000
Message-ID: <CANr5HFUqexrkU+tq-3KU74we7mo_8z1M131RuzQdiOds6dFjVg@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: public-web-security@w3.org
On Mon, Nov 5, 2012 at 1:08 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 11/4/12 3:58 PM, Alex Russell wrote:
>
>>      DOMString toString();
>>
>
> This should probably be:
>
>   stringifier;
>
> instead (which in ES will produce a toString on the prototype, but is more
> clear about the point, and might do different things in other binding
> languages).


Other binding languages don't matter, but OK.


>  One open issue: I'm not sure If allowsEval, allowsInlineScript, and
>> allowsInlineStyle should just be boolean getters or if they should stay
>> methods
>>
>
> I think readonly boolean attributes would make more sense here, personally.
>

Read-only when vended from document.securityPolicy, right?

When constructed ("new SecurityPolicy(...)"), I think they should be
read-write.


> Another thing to think about is whether reportURIs should really be an IDL
> array (which does NOT produce a JS array on the JS side, so it really
> depends on the expected use cases).


I'll advocate for a JS array wherever we surface an array-like collection.
It's long past time that we stopped shitting on users with ad-hoc
collection types. If you want it read-only, vend an ES6 proxy. We can
figure out later how to say that in WebIDL (not that it actually matters,
IMO).
Received on Monday, 5 November 2012 10:33:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 November 2012 10:33:41 GMT