- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 25 Jan 2011 14:35:36 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Brandon Sterne <bsterne@mozilla.com>, Gervase Markham <gerv@mozilla.org>, Lucas Adamski <lucas@mozilla.com>, public-web-security@w3.org
On Tue, Jan 25, 2011 at 2:03 PM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 25 January 2011 21:45, Adam Barth <w3c@adambarth.com> wrote:
>> I guess I wish we had an extensibility model more like HTML where we
>> could grow the security protections over time. For example, we can
>> probably agree that both <canvas> and <video> are great additions to
>> HTML that might not have made sense when folks were designing HTML
>> 1.0.
>
> Glad you're coming around to my way of thinking =)
>
> X-Content-Security-Policy: policy.csp
Well, if you're into re-using machinery, we should use the Link header
with an appropriate new "rel" attribute. :)
> policy.csp:-
> * {
> origin:same-domain;
> }
> img {
> src:proxy-only;
> proxy:url(http://www.gmodules.com/ig/proxy?url=);
> }
> a {
> onclick:true;
> }
>
> This makes so much sense and easy to understand for devs, can be validated
> and you can use existing technology (ie. CSS parsers) to parse the policy
> file. I'll shut up now
I certainly like the idea of re-using an existing syntax for the
policy language. CSS is very syntax directed, whereas many things a
policy might want to say don't necessarily relate to CSS selectors.
Adam
Received on Tuesday, 25 January 2011 22:36:41 UTC