RE: CfC: publish FPWD of Content Security Policy: Deadline Nov 22 from Jacob Rossi on 2011-11-15 (public-webappsec@w3.org from November 2011)

From: Jacob Rossi <Jacob.Rossi@microsoft.com>
Date: Tue, 15 Nov 2011 20:27:44 +0000
To: "Art.Barstow@nokia.com" <Art.Barstow@nokia.com>, "bhill@paypal-inc.com" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
CC: "Adam Barth (w3c@adambarth.com)" <w3c@adambarth.com>, "bsterne@mozilla.com" <bsterne@mozilla.com>
Message-ID: <D0BC8E77E79D9846B61A2432D1BA4EAE0364FDCF@TK5EX14MBXC288.redmond.corp.microsoft.>

This is an excellent draft and of high quality for a FPWD.  I haven't yet been able to do an in-depth review of the spec to provide my comments, but I look forward to doing so after the FPWD is published.



However, we'd like to see the sandbox directive spec'd somewhere (as it used to be in the 1.0 draft).  Ideally, that'd be in the 1.0 publication. But if there's no consensus to do so, then I'd like to see it in a draft for 1.1.  I think we know what we want to spec, it's just a matter of writing it up.



Here's my suggestion.  Rather than spending time to spin up a 1.1 document,  can we add sandbox back to the current 1.0 draft?  The concerns for doing so at TPAC seemed to be around feasibility to implement (I didn't hear much pushback on the feature itself).  Generally speaking, CR is the appropriate time to remove a feature if it can't get implemented.  So I'd prefer we be optimistic and keep it in for now and then see how things go as we progress along. If at CR it is at-risk to block progress on the spec, we can consider moving it out to the 1.1 spec. Thoughts?



Thanks!



-Jacob

Received on Tuesday, 15 November 2011 20:28:43 UTC