W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: Trimming the SecurityPolicy DOM interface

From: Eduardo' Vela <evn@google.com>
Date: Mon, 29 Apr 2013 15:12:43 -0700
Message-ID: <CAFswPa9_CjrDSW2YY-kCi4StxKO0UOpbO3c9LbZdimFd+GoH0w@mail.gmail.com>
To: Ian Melven <imelven@mozilla.com>
Cc: Alex Russell <slightlyoff@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, "www-tag@w3.org List" <www-tag@w3.org>, Adam Barth <w3c@adambarth.com>
Yes, that's what I'm doing ATM, but WebKit only respects the first CSP
policy it receives, so this only works if the page has no CSP yet.


On Mon, Apr 29, 2013 at 12:56 PM, Ian Melven <imelven@mozilla.com> wrote:

>
> fwiw, CSP in a <meta> tag has also been brought up as an approach to that
> use case (tightening
> the CSP policy after an initial bootstrap phase has loaded a bunch of
> stuff).
>
> thanks,
> ian
>
>
> ----- Original Message -----
> From: "Eduardo' Vela" <evn@google.com>
> To: "Adam Barth" <w3c@adambarth.com>
> Cc: "Alex Russell" <slightlyoff@google.com>, public-webappsec@w3.org,
> "Mike West" <mkwst@google.com>, "www-tag@w3.org List" <www-tag@w3.org>
> Sent: Saturday, April 27, 2013 3:25:48 PM
> Subject: Re: Trimming the SecurityPolicy DOM interface
>
>
>
> And script-subset could allow the policy be subset.. May be useful if you
> want say, load inline scripts at load time, and then lock it down to no
> inline scripts.
>
Received on Monday, 29 April 2013 22:13:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC