- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 21 Jan 2011 20:32:02 -0800
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Michal Zalewski <lcamtuf@coredump.cx>, public-web-security@w3.org
On Fri, Jan 21, 2011 at 8:10 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 1/21/11 7:42 PM, Adam Barth wrote: >> On Fri, Jan 21, 2011 at 6:21 PM, Daniel Veditz <dveditz@mozilla.com> wrote: >>> I'd be perfectly happy to add [...] >> [...] >>> That can be added to CSP quite easily [...] >> >> I guess, from my perspective, the more interesting discussion is about >> what to remove, not about what to add. My main sadness about CSP is >> that it is too large and too complex. Adding more bells and whistles >> exacerbates that sadness. > > "bells and whistles"? Those seemed to be main points of your > counter-proposal. They weren't things you were proposing to remove > from CSP, they were things both proposals do that you wanted done > differently. The main point of my counter-proposal is to focus on XSS mitigation first and to defer building out features for other benefits that we might get from security policies. If we can agree that's a reasonable scope, then I suspect coming to agreement about the remaining details won't be that hard. > At least the <meta> point was. Lacking context I'm guessing the > other snip was in response to mz's URI vs origin suggestion. That's > not something I want to add, but the syntax is purposefully flexible > and if consensus says that's a better granularity for control > there's no reason CSP couldn't do that. I'm not too worried about the syntax for what's allowed or disallowed. There are a bunch of options, many of which can do the job. Once we agree on a scope, we can go through the options and weigh the trade-offs. Adam
Received on Saturday, 22 January 2011 04:33:08 UTC