- From: Mike West <notifications@github.com>
- Date: Fri, 25 Sep 2015 09:01:24 -0700
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
Received on Friday, 25 September 2015 16:01:53 UTC
@mnot, @travisleithead, @hillbrad: I've been thinking about a modular CSP myself, actually. I do think it's a good idea ("CSP Core" + smaller specs), though I'm not entirely sure where the lines are. For instance, I started on https://w3c.github.io/webappsec/specs/csp-cookies/ this afternoon to chat about (and because it's ~2 years late). Is that enough to stand on its own? I don't know. UPGRADE was, but it was significantly more complex. *shrug* Let's talk about it at TPAC, I guess?
@mnot: 1. Twitter's policy _is_ huge. 2. I have a pinning proposal I haven't touched in ~6 months (https://w3c.github.io/webappsec/specs/csp-pinning/), and some of the discussion pointed in the direction of a manifest. Maybe HTTP/2 push solves the latency problems associated with a blocking request that I've always pushed back on in the WG? I'd be interested in the strawspec (but would prefer discussing it in an issue on w3c/webappsec if possible. :)
---
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/spec-reviews/issues/42#issuecomment-143261456
Received on Friday, 25 September 2015 16:01:53 UTC