W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: policy-uri proposal (ACTION 97)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 25 Jun 2013 23:29:56 -0700
Message-ID: <51CA8A64.3030906@mozilla.com>
To: Anne van Kesteren <annevk@annevk.nl>
CC: Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 6/25/2013 2:38 AM, Anne van Kesteren wrote:
> :-( It seems -uri is also used for the JSON resource. So if we only
> add it as alias it would not solve that, though we could avoid
> introducing more -uri in 1.1 I suppose. It really blows we don't use
> the correct term consistently.

I'm pretty sure CSP is at least consistent, and if it's wrong and you
need to blame someone you can start with me. A few years back in
Gecko-land we had to rename all the URL things to URI because someone
decided it was "more correct". I may have misunderstood the origin of
that push but I thought it came from the W3C.

As a result when we formulated the first CSP proposal and presented it
to the W3C we carefully used "uri" throughout, believing that to be the
preferred term. Until now no one has objected which only reinforced that
belief. Firefox 4 shipped in March 2011 using "-uri" in its x-CSP syntax
and we've talked about it a lot longer than that. If it truly is the
incorrect term it would have been nice to tell me sometime during the
last two or three years.

I don't really care which term we use, but I do care a lot about
internal consistency. Having -uri in one directive and -url in another
in the same header syntax is begging for broken CSP policies and
developer hatred.

Do we have to change the 1.0 spec and the compliant implementations at
this late date?

-Dan Veditz

Received on Wednesday, 26 June 2013 06:30:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC