Re: Trimming the SecurityPolicy DOM interface from Ian Melven on 2013-04-29 (public-webappsec@w3.org from April 2013)

From: Ian Melven <imelven@mozilla.com>
Date: Mon, 29 Apr 2013 12:56:08 -0700 (PDT)
To: Eduardo' Vela <evn@google.com>
Cc: Alex Russell <slightlyoff@google.com>, public-webappsec@w3.org, Mike West <mkwst@google.com>, "www-tag@w3.org List" <www-tag@w3.org>, Adam Barth <w3c@adambarth.com>
Message-ID: <1703047040.13413321.1367265368571.JavaMail.root@mozilla.com>

fwiw, CSP in a <meta> tag has also been brought up as an approach to that use case (tightening
the CSP policy after an initial bootstrap phase has loaded a bunch of stuff). 

thanks,
ian

----- Original Message -----
From: "Eduardo' Vela" <evn@google.com>
To: "Adam Barth" <w3c@adambarth.com>
Cc: "Alex Russell" <slightlyoff@google.com>, public-webappsec@w3.org, "Mike West" <mkwst@google.com>, "www-tag@w3.org List" <www-tag@w3.org>
Sent: Saturday, April 27, 2013 3:25:48 PM
Subject: Re: Trimming the SecurityPolicy DOM interface

And script-subset could allow the policy be subset.. May be useful if you want say, load inline scripts at load time, and then lock it down to no inline scripts.

Received on Monday, 29 April 2013 19:56:37 UTC