W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Brandon Sterne <bsterne@mozilla.com>
Date: Fri, 28 Jan 2011 15:34:34 -0800
Message-ID: <4D43528A.3070806@mozilla.com>
To: gaz Heyes <gazheyes@gmail.com>
CC: public-web-security@w3.org
On 1/28/11 2:58 PM, gaz Heyes wrote:
> On 28 January 2011 22:52, Brandon Sterne <bsterne@mozilla.com> wrote:
>     You're just restating the opinion you gave before.  You'll have to
>     provide more support for these types of statements if you expect to
>     persuade anyone.
> I don't see how I can be more clear.

You said something similar to Gerv when he was trying to understand your
token-stealing attack.  Trust me, we are not deliberately trying to be
obstinate to miss your point.  We're familiar with your work.  We know
you've found lots of neat bugs in browsers and web sites, so your input
is valuable in this discussion.  But it needs to be structured in a way
that can be objectively processed.

> I want to implement it, I don't
> understand the syntax.

Your point has become muddled, unfortunately.  It started as an argument
against using headers to deliver the policy.  To me, that seems to be an
orthogonal issue to the policy syntax.  Are you saying "I don't
understand how to use this syntax to express a policy" or "I don't
understand how to send HTTP headers"?

> I have it commented out in my social network
> because I don't understand the syntax. In other words I am your user.
> Maybe my technical level isn't up to your standard. Maybe you should
> ignore me in which case I'll happy to shut my mouth.

Nobody here wants to ignore you.  You're reading too much into the
comments if that is the impression you are getting.  I encourage you to
stay engaged in this discussion, avoiding statements of pure opinion as
much as possible.

Received on Friday, 28 January 2011 23:35:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:25 UTC