- From: Noam Rosenthal via GitHub <sysbot+gh@w3.org>
- Date: Mon, 27 May 2024 05:34:36 +0000
- To: public-css-archive@w3.org
> > My point is if we were to do this I would start from history and derive view transitions from that > > > > That's fair. We might need 2 policies, one to allow same-site URLs to be visible in the navigation API session history and another for view-transition. And the view-transition can't apply without a navigation API opt-in. > > > > > Note that CSP is designed as an opt-out only, meaning any added policy can only be further restricting what precedes it or the default. It's not a good framework for something that's supposed to be restricted by default and relaxed using an opt-in. > > > > Can you expand on "designed as an opt-out only"? Since on the surface it looks like a key -> list of URLs, it's not obvious why that list can't be used as an allow list on top of any same-origin URL. CSP is a list of policies, each policy with multiple directives. Every policy can only tighten what's before it, not relax it. It's built in a way that a policy injected (eg in a CDN header) can't relax security beyond the current state. -- GitHub Notification of comment by noamr Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/10364#issuecomment-2132675221 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 27 May 2024 05:34:37 UTC