W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: Trimming the SecurityPolicy DOM interface

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 27 Apr 2013 11:59:12 -0700
Message-ID: <CAJE5ia9VKgiUftMudgKJGGgOrj4O0at1-u20N5=2pueLaNq-0w@mail.gmail.com>
To: Alex Russell <slightlyoff@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, "www-tag@w3.org List" <www-tag@w3.org>
Alex, would you be willing to share the specific use cases you have in
mind?  We just want to make sure there are solid use cases for the
features in the spec.

Adam


On Sat, Apr 27, 2013 at 11:31 AM, Alex Russell <slightlyoff@google.com> wrote:
> I object to these changes in the strongest possible terms. If it is not
> possible to implement CSP policy enforcement on top of your API, it is not
> sufficient.
>
> On Apr 27, 2013 5:46 PM, "Adam Barth" <w3c@adambarth.com> wrote:
>>
>> As discussed at the face-to-face meeting, I've trimmed the
>> SecurityPolicy DOM interface to just the first four attributes:
>>
>> https://dvcs.w3.org/hg/content-security-policy/rev/f338192860c5
>>
>> At the meeting, we discussed that these attribute have strong use
>> cases, but we couldn't think of any strong use cases for the remaining
>> DOM interfaces.
>>
>> If folks come up with strong use cases, we should consider adding back
>> the removed interfaces (or adding new interfaces that better address
>> those use cases).
>>
>> Note: At the face-to-face, we discussed making some of these attribute
>> writable in some circumstances, but I haven't made that change yet
>> because it probably deserves more discussion.
>>
>> Adam
>>
>
Received on Saturday, 27 April 2013 19:00:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC