- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Mon, 31 Jan 2011 19:40:21 -0500
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Gervase Markham <gerv@mozilla.org>, public-web-security@w3.org
On Mon, Jan 31, 2011 at 5:36 AM, gaz Heyes <gazheyes@gmail.com> wrote: > Ok I've thought about this, IMO here is what you need:- > > 1) Policy editor. A online/offline editor to create policy scripts with a > nice UI. IMO, if this needs a policy editor, it's vastly too complicated for the web. Policy editors put me in mind of SELinux. > 2) Validator. You need to validate policies, so we know what they are doing > instead of thinking we know what they're doing. Should CSP refuse to load > sites with invalid policies or syntax errors? I think yes. XML-style well-formedness is usually not looked upon kindly for web standards. It makes it much too easy to DoS your site by accident, and doesn't have much benefit. Parsing should be well-defined in the face of errors, and whatever policies you're able to parse should be applied, with an error printed to the console.
Received on Tuesday, 1 February 2011 00:41:13 UTC