- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 10 Mar 2011 13:44:29 +0100
- To: "Brandon Sterne" <bsterne@mozilla.com>, "Adam Barth" <w3c@adambarth.com>
- Cc: "Collin Jackson" <collin.jackson@sv.cmu.edu>, "public-web-security@w3.org" <public-web-security@w3.org>
On Tue, 08 Mar 2011 20:11:35 +0100, Adam Barth <w3c@adambarth.com> wrote: > We're going to be more successful getting folks to use CSP for new > kinds of policies in the future if CSP has less intrinsic baggage. > For example, Anne's From-Origin HTTP header should be a CSP directive > not yet-another-HTTP-header, but he's not going to like any coupling > between From-Origin and how inline event handlers behave. Yeah that would be weird. I'm still a bit unsure as to whether putting all these policies in the same header makes sense. They are orthogonal issues. It feels very similar to the <object> disaster. Some kind of framework element that can handle a ton of things, but is not very good at any of them. -- Anne van Kesteren http://annevankesteren.nl/
Received on Thursday, 10 March 2011 12:45:12 UTC