W3C home > Mailing lists > Public > www-archive@w3.org > August 2009

Re: Comments on the Content Security Policy specification

From: Gervase Markham <gerv@mozilla.org>
Date: Mon, 10 Aug 2009 13:00:18 +0100
Message-ID: <4A800BD2.4020003@mozilla.org>
To: Daniel Veditz <dveditz@mozilla.com>
CC: Ian Hickson <ian@hixie.ch>, Bil Corry <bil@corry.biz>, Brandon Sterne <bsterne@mozilla.com>, dev-security@lists.mozilla.org, www-archive@w3.org, jonas@sicking.cc, Sid Stamm <sid@mozilla.com>
On 30/07/09 18:51, Daniel Veditz wrote:
>>   * Remove external policy files.
>
> I'd be happy to drop those, personally. Some people have expressed
> bandwidth concerns that would be solved by a cacheable policy file.

Can we quantify that? At this stage, it's looking like most policies 
won't be significantly longer than a URL. And the extra RTT on first 
load, as Hixie says, means that big sites may well choose not to use 
them. So if removing it reduces implementation and spec complexity, why 
don't we do that? At least for the first "X-" version.

>>   * Move "inline" and "eval" keywords from "script-src" to a separate
>>     directive, so that all the -src directives have the same syntax
>
> I've argued that too and I think we agreed, although I don't see that
> reflected in the spec or on the talk page.

Yes, we did agree this.

Gerv
Received on Monday, 10 August 2009 12:01:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 7 November 2012 14:18:25 GMT