- From: Mark Nottingham <notifications@github.com>
- Date: Thu, 24 Sep 2015 19:10:58 -0700
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
Received on Friday, 25 September 2015 02:11:28 UTC
@mikewest - another CSP issue worth talking about again is the delivery mechanism. When I look at sites like Twitter, who have really long CSP headers: https://redbot.org/?uri=https%3A%2F%2Ftwitter.com%2Fmnot&req_hdr=User-Agent%3AMozilla%2F5.0+%28X11%3B+U%3B+Linux+x86_64%3B+en-US%29+Gecko+Firefox%2F3.0.8 ... it makes me think we can do better (especially considering that this will consume most of the compression context in HTTP/2 -- 4k -- meaning it'll make header compression really inefficient). I've been noodling on a mechanism to allow a site to put its policies in a .well-known location and then refer to them by a token in responses when the client indicates it's fetched that location; would you care to look at a straw-spec? --- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/issues/42#issuecomment-143103375
Received on Friday, 25 September 2015 02:11:28 UTC