- From: Gervase Markham <gerv@mozilla.org>
- Date: Mon, 10 Aug 2009 13:00:18 +0100
- To: Daniel Veditz <dveditz@mozilla.com>
- CC: Ian Hickson <ian@hixie.ch>, Bil Corry <bil@corry.biz>, Brandon Sterne <bsterne@mozilla.com>, dev-security@lists.mozilla.org, www-archive@w3.org, jonas@sicking.cc, Sid Stamm <sid@mozilla.com>
On 30/07/09 18:51, Daniel Veditz wrote: >> * Remove external policy files. > > I'd be happy to drop those, personally. Some people have expressed > bandwidth concerns that would be solved by a cacheable policy file. Can we quantify that? At this stage, it's looking like most policies won't be significantly longer than a URL. And the extra RTT on first load, as Hixie says, means that big sites may well choose not to use them. So if removing it reduces implementation and spec complexity, why don't we do that? At least for the first "X-" version. >> * Move "inline" and "eval" keywords from "script-src" to a separate >> directive, so that all the -src directives have the same syntax > > I've argued that too and I think we agreed, although I don't see that > reflected in the spec or on the talk page. Yes, we did agree this. Gerv
Received on Monday, 10 August 2009 12:01:06 UTC