W3C home > Mailing lists > Public > public-web-security@w3.org > November 2012

Re: CSP 1.1 DOM design

From: Mike West <mkwst@google.com>
Date: Tue, 6 Nov 2012 10:36:06 +0100
Message-ID: <CAKXHy=f9DbQQrFLd2ft_F9O=tzYv6pGrGoLCKQtmgrymTBxsxw@mail.gmail.com>
To: Alex Russell <slightlyoff@google.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, public-web-security@w3.org, Cameron McCormack <cam@mcc.id.au>
Discussion of the IDL language aside, two of the suggestions from above
seem uncontroversial: `document.SecurityPolicy` should be renamed
`document.securityPolicy`, and `allowsEval`, `allowsInlineScript`,
`allowsInlineStyle`, and `isActive` should be converted to read-only
boolean attributes. I've made those changes in
https://dvcs.w3.org/hg/content-security-policy/rev/5a29424a37d4 and will
poke at them in WebKit at https://bugs.webkit.org/show_bug.cgi?id=101321.

On Tue, Nov 6, 2012 at 10:04 AM, Alex Russell <slightlyoff@google.com>wrote:

> As I suggested before, the exercise here should be to write down the
> behavior you want in JS and then transcribe it back to IDL. I'm
> implementing a SecurityPolicy class right now and can post it for review
> when it's done.
>

I'm interested in seeing this; it should give us a good basis upon which to
discuss the functionality we want to provide. The interface that's up now
is pretty much a strawman to generate exactly this sort of discussion.

Thanks!

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Tuesday, 6 November 2012 09:36:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 6 November 2012 09:36:55 GMT