- From: =JeffH <Jeff.Hodges@KingsMountain.com>
- Date: Tue, 12 Feb 2013 14:56:23 -0800
- To: W3C Web App Security WG <public-webappsec@w3.org>
>> what is the rationale for preventing this beyond difficulty of >> implementation? > > [Hill, Brad] I'm always the first one to invoke the priority of > constituencies, but I think there's a real sense in which difficulty of > implementation is the only interesting problem here, and directly related to > the use-case goals of the feature. > > How do we create a canonical set of bytes to represent script content inline > in an HTML document that is unambiguous and yet not brittle across multiple > implementations and (importantly) future implementations? > > We're taking dependencies on a core and complex part of HTML here. We > should expect HTML to continue to evolve, and for the pressures on it to be > stronger than any back-pressure we can put it on behalf of script-hash. > > If we design something that is brittle, constrictive or otherwise problematic > in the face of the evolution of core document parsing, we should expect > script-nonce will fail and get left behind. +1
Received on Tuesday, 12 February 2013 22:56:49 UTC