- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 7 May 2012 02:04:36 -0700
- To: public-webappsec@w3.org
After moving CSP 1.0 to <http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html>, I started sketching out some of the features we discussed at the face-to-face for CSP 1.1. That text is located at <http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html>. Specifically, I've added the following directives, as instructed by the wiki <http://www.w3.org/Security/wiki/Content_Security_Policy#Proposals_for_Version_1.1>: * form-action * sandbox * script-nonce * plugin-types * frame-options The text for these directives is very rough and really more of a sketch. I've marked these directives (with exception of sandbox) as "experimental." I've also added back the <meta> element and a script API for querying the current policy (based on <https://mikewest.org/2012/05/content-security-policy-feature-detection>). These are both also marked "experimental." The only item on the wiki that I haven't included in this document is support for more granular (e.g., by directory) sources. I've held off on this feature pending our discussion about how to treat sources with paths in CSP 1.0. Please don't feel like the above is in any way set in stone. I just wrote up what was on the wiki more formally. If you've got a directive you think we should include in 1.1, please feel encouraged to put it on the wiki and to start a thread discussing it. If you think any of the above directives should be cut, please feel encouraged to start a thread on that topic as well. :) Adam
Received on Monday, 7 May 2012 09:05:38 UTC