- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 26 Jun 2013 11:18:45 +0100
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jun 26, 2013 at 7:29 AM, Daniel Veditz <dveditz@mozilla.com> wrote: > I'm pretty sure CSP is at least consistent, and if it's wrong and you > need to blame someone you can start with me. A few years back in > Gecko-land we had to rename all the URL things to URI because someone > decided it was "more correct". I may have misunderstood the origin of > that push but I thought it came from the W3C. Given that Gecko (like all other browsers) does not implement the URI specifications but something much more closely to http://url.spec.whatwg.org/ that move seems misguided. I was not around when it happened. > As a result when we formulated the first CSP proposal and presented it > to the W3C we carefully used "uri" throughout, believing that to be the > preferred term. Until now no one has objected which only reinforced that > belief. Firefox 4 shipped in March 2011 using "-uri" in its x-CSP syntax > and we've talked about it a lot longer than that. If it truly is the > incorrect term it would have been nice to tell me sometime during the > last two or three years. I'm kind of surprised nobody else caught this. Unfortunately I can't solely review all the new features as they are developed. > I don't really care which term we use, but I do care a lot about > internal consistency. Having -uri in one directive and -url in another > in the same header syntax is begging for broken CSP policies and > developer hatred. Internal consistency definitely trumps platform consistency, but it gets muddy once you start exposing APIs that are touched by people that also touch new URL() and such. > Do we have to change the 1.0 spec and the compliant implementations at > this late date? Again, if we can that'd be great. -- http://annevankesteren.nl/
Received on Wednesday, 26 June 2013 10:19:12 UTC