Hey Dan, I'll fork this thread for clarity. On Thu, Sep 8, 2016 at 5:50 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 9/8/16 6:10 AM, Mike West wrote: > > What syntax issue do we need to discuss? If there are remaining syntax > > questions, we should resolve them quickly, as Chrome is shipping what's > > currently in the spec, and Google sites are beginning to rely on the > > currently specified behavior. :) > > I'm uncomfortable with the multilayered "ignore this if that" within a > single directive; it will be especially confusing to developers to have > an ignored whitelist of sites. It would be clearer, and more flexible in > the future if we need to add options or restrictions on > 'strict-dynamic', to have a separate directive which overrides > 'script-src' in UAs that understand it (as script-src itself overrides > default-src). > > Because we may want other dynamic types in the future, and to help > indicate what it's overriding, we would want to rename it to > 'dynamic-script' or something. > My recollection is that we went back and forth on this a bit at the F2F ( https://www.w3.org/2011/webappsec/minutes/2016-05-17-webappsec-minutes.html), the list ( https://lists.w3.org/Archives/Public/public-webappsec/2016Jun/0007.html), and agreed upon the current syntax. Dev expressed some reservations about the syntax, but ended up agreeing with Artur on the current framing (renaming from 'unsafe-dynamic' to 'strict-dynamic'). Brad also expressed some reservations early on in the thread, but didn't object to the final framing. Mozilla didn't really participate in that conversation. I'm a little surprised that you're expressing worries about the syntax now. :) That said, Google is probably the only high-volume consumer of the syntax right now. We probably have a (narrowing) window for change. Would you mind putting together a more concrete proposal that we can talk about at TPAC? What flexibility and future types would you like to guarantee? -mike
Received on Thursday, 8 September 2016 16:15:55 UTC