- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 25 Feb 2011 15:17:47 -0800
- To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
- Cc: W3C Web Security Interest Group <public-web-security@w3.org>
On Fri, Feb 25, 2011 at 1:43 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote: > AdamB said on Wed, 23 Feb 2011 21:18:26 -0800 >> >> On Wed, Feb 23, 2011 at 5:18 PM, Brandon Sterne <bsterne@mozilla.com> >> wrote: >> >>> I see your comments suggesting this change and Collin's supporting them. >>> I don't see how you got from there to "this group". I'm not saying the >>> suggested change is without merit, but there is a case to be made >>> against it which Dan brought up. I think the debate is still open. >> >> Fair enough. Perhaps we should continue the discussion in the other >> thread. > > The other thread, and the four relevant msgs therein, are... > > Re: JavaScript URLs and script-src nit > http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0096.html > http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0097.html > http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0098.html > http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0113.html > > ..tho retitling it (or just carrying over into this thread) may be a good > idea. Thanks Jeff. I think this question boils down to how general purpose we want CSP policies to be. For example, would we rather have yet another one-off HTTP header for something like From-Origin: http://annevankesteren.nl/2011/02/from-origin or should that just be a CSP directive: Content-Security-Policy: restrict-embedding-to *.example.com (module naming)?. If CSP comes with a lot of baggage, that's going to lead to a proliferation of these sorts of headers. On the other hand, which seems unfortunate. Adam >>> On 02/22/2011 07:41 PM, Adam Barth wrote: >>>> >>>> Oh, I meant this group. >>>> >>>> Adam >>>> >>>> >>>> On Tue, Feb 22, 2011 at 6:24 PM, Daniel Veditz <dveditz@mozilla.com> >>>> wrote: >>>> >>>>> I haven't seen any consensus forming on that, maybe Adam's "we" >>>>> means webkit. >>>>> >>>>> On 2/22/11 1:31 AM, sird@rckc.at wrote: >>>>> >>>>>> Oh, I wasn't aware that the "default-do-noting" was really happening. >>>>>> >>>>>> -- Eduardo >>>>>> >>>>>> On Tue, Feb 22, 2011 at 1:16 AM, Adam Barth <w3c@adambarth.com> wrote: >>>>>> >>>>>>> I don't think the situation is as tricky as you make it out to be, >>>>>>> especially if we go the route of an empty CSP policy not implying >>>>>>> inline script restrictions, which seems likely. >>>>>>> >>>>>>> Adam > > >
Received on Friday, 25 February 2011 23:24:39 UTC