- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 1 Jun 2012 11:49:06 -0700
- To: Mike West <mkwst@google.com>
- Cc: public-webappsec@w3.org
By the way, this new approach aligns with Robert O'Callahan's recommendations on web API design: http://robert.ocallahan.org/2012/05/canvas-getcontext-mistake.html Adam On Fri, Jun 1, 2012 at 11:43 AM, Mike West <mkwst@google.com> wrote: > I've taken a stab at a WebKit implementation of the experimental CSP script > interface as currently specified in the 1.1 draft, and have a suggestion for > improvement based on that experience. > > Specific query methods for each of the relevant types that CSP deals with > seem simpler to deal with than the current structure. The > `SecurityPolicy.isWhitelisted` method does too much at the moment, and > requires developers to know too much about how CSP actually works. Asking > "Can I run inject a script block onto this page?" requires a developer to > understand the directive is named `script-src`, and that the specific value > they should test for is 'unsafe-inline'. That's probably too much to > ask. Something like `SecurityPolicy.allowInlineScript()` would be more > straightforward, as would `SecurityPolicy.allowEval()` and > `SecurityPolicy.allowScriptFrom([URL])` and so on. > > If you're curious, the IDL file I'm running with at the moment > is https://github.com/mikewest/webkit/blob/csp11domapi/Source/WebCore/page/DOMSecurityPolicy.idl, > and you can see some usage examples in the `securitypolicy-*` tests > under https://github.com/mikewest/webkit/tree/csp11domapi/LayoutTests/http/tests/security/contentSecurityPolicy > > -- > Mike West <mkwst@google.com>, Developer Advocate > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Friday, 1 June 2012 18:50:09 UTC