- From: Dan Veditz <dveditz@mozilla.com>
- Date: Tue, 27 Nov 2012 23:10:44 -0800
- To: Mike West <mkwst@google.com>
- CC: public-webappsec@w3.org
On 11/22/12 4:35 AM, Mike West wrote:
> What do you think about making such a feature an opt-in portion of the
> policy by adding a `'self'` keyword to the `report-uri` directive? If
> the keyword is set, violation events would be fired at the
> `document.securityPolicy` object; if not, no violation events would fire
> for that policy.
I like the concept but have concerns over re-using 'self'. This is a
completely different 'self', the page vs. the origin server elsewhere.
Maybe something like 'page','events' or 'enable-events'? Those aren't
even close to a "URI" though and it's too late to change the report-uri
directive name -- maybe 'self' wasn't so bad.
I prefer opt-in, but a similar syntax for opt-out could be
report-uri 'no-events' <sites>;
When you describe this as an "event" do you mean a DOM Event conforming
to the DOM Level 3 Events spec? Does that mean document.securityPolicy
is a DOM Node somehow? Maybe we should target the document itself instead.
-Dan Veditz
Received on Wednesday, 28 November 2012 07:11:14 UTC