Re: Unofficial Draft of Content Security Policy from gaz Heyes on 2011-03-03 (public-web-security@w3.org from March 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 3 Mar 2011 22:37:20 +0000
To: Brandon Sterne <bsterne@mozilla.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <AANLkTiku1w8djAZi3ZoD8f=g+SuMPu5oz=i3az-y-jcY@mail.gmail.com>

Nice work

But.... I see that img-src is defined and font-src but every url() based CSS
method is missing, then you've got HTML attributes like background. How do
you control those? Are they same domain by default?

On 3 March 2011 18:17, Brandon Sterne <bsterne@mozilla.com> wrote:

> Hello all,
>
> Apologies for the delays in getting this published.  You can find the
> first Unofficial Draft of the Content Security Policy specification here:
>
> https://dvcs.w3.org/hg/content-security-policy/raw-file/bcf1c45f312f/csp-unofficial-draft-20110303.html
>
> I hope you will find the new format well-organized and reflective of our
> discussion so far.  While this document will likely remain in Unofficial
> Draft status until we get our charter reviewed and accepted, in the
> meantime this it should provide a good basis for further discussions.  I
> look forward to receiving your feedback.
>
> Best,
> Brandon
>
>

Received on Thursday, 3 March 2011 22:37:52 UTC