- From: Dan Veditz <dveditz@mozilla.com>
- Date: Tue, 27 Nov 2012 23:10:44 -0800
- To: Mike West <mkwst@google.com>
- CC: public-webappsec@w3.org
On 11/22/12 4:35 AM, Mike West wrote: > What do you think about making such a feature an opt-in portion of the > policy by adding a `'self'` keyword to the `report-uri` directive? If > the keyword is set, violation events would be fired at the > `document.securityPolicy` object; if not, no violation events would fire > for that policy. I like the concept but have concerns over re-using 'self'. This is a completely different 'self', the page vs. the origin server elsewhere. Maybe something like 'page','events' or 'enable-events'? Those aren't even close to a "URI" though and it's too late to change the report-uri directive name -- maybe 'self' wasn't so bad. I prefer opt-in, but a similar syntax for opt-out could be report-uri 'no-events' <sites>; When you describe this as an "event" do you mean a DOM Event conforming to the DOM Level 3 Events spec? Does that mean document.securityPolicy is a DOM Node somehow? Maybe we should target the document itself instead. -Dan Veditz
Received on Wednesday, 28 November 2012 07:11:14 UTC