- From: Gervase Markham <gerv@mozilla.org>
- Date: Fri, 28 Jan 2011 10:10:19 +0000
- To: Daniel Veditz <dveditz@mozilla.com>
- CC: Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 27/01/11 18:35, Daniel Veditz wrote: >> 2) Make it more granular but simply tie it to the relevant tag name. >> So, we could have allow[img] = ..., allow[embed] = ..., etc. This is >> more immediately extensible, and allows unrecognized rules to be >> skipped more confidently. > > Attractive from an educational point of view, easy to understand. > Your<xxx> didn't load because you didn't add an allow[xxx] policy. > > I'd say "feature name" rather than "tag name". XHR isn't a tag, nor > is font-face. And once you do that, you basically have roughly what we have now, but with a slightly different syntax. (Now: <feature>-src; Then: allow[feature]). As soon as you move away from 1:1 tag matching, you will have the problem of deciding whether a new browser feature fits an existing value, or needs a new value. IOW, I don't think allow[tag] works and I don't think allow[feature] is different to what we have now. Gerv
Received on Friday, 28 January 2011 10:11:00 UTC