- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Fri, 21 Jan 2011 15:16:36 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-web-security@w3.org
> Your approach seems, generally, to provide all the various options > when you think more than one thing might make sense. At a high level, > I don't think that's a good approach. My general concern is that there is a risk of the discussion devolving into nit-picking over peripheral aspects that have comparable merits, potentially leading to fragmentation (CORS vs Microsoft's XDomainRequest; toStaticHtml versus innerSafeHtml). If these are the key differentiators between competing proposals, and the reasons why WebKit or MSIE may end up with an approach incompatible with Firefox, then I think a less principled stand may be ultimately more beneficial, even if it results in a less elegant specification. That said, #1, #2, and #3 aside, I think the concern in #4 - the practical safety of scoping these policies to origin level - deserves some consideration sooner than later (also in the context of CSP). /mz
Received on Friday, 21 January 2011 23:17:29 UTC