Re: policy-uri proposal (ACTION 97)

On Wed, Jun 26, 2013 at 7:29 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
> I'm pretty sure CSP is at least consistent, and if it's wrong and you
> need to blame someone you can start with me. A few years back in
> Gecko-land we had to rename all the URL things to URI because someone
> decided it was "more correct". I may have misunderstood the origin of
> that push but I thought it came from the W3C.

Given that Gecko (like all other browsers) does not implement the URI
specifications but something much more closely to
http://url.spec.whatwg.org/ that move seems misguided. I was not
around when it happened.


> As a result when we formulated the first CSP proposal and presented it
> to the W3C we carefully used "uri" throughout, believing that to be the
> preferred term. Until now no one has objected which only reinforced that
> belief. Firefox 4 shipped in March 2011 using "-uri" in its x-CSP syntax
> and we've talked about it a lot longer than that. If it truly is the
> incorrect term it would have been nice to tell me sometime during the
> last two or three years.

I'm kind of surprised nobody else caught this. Unfortunately I can't
solely review all the new features as they are developed.


> I don't really care which term we use, but I do care a lot about
> internal consistency. Having -uri in one directive and -url in another
> in the same header syntax is begging for broken CSP policies and
> developer hatred.

Internal consistency definitely trumps platform consistency, but it
gets muddy once you start exposing APIs that are touched by people
that also touch new URL() and such.


> Do we have to change the 1.0 spec and the compliant implementations at
> this late date?

Again, if we can that'd be great.


--
http://annevankesteren.nl/

Received on Wednesday, 26 June 2013 10:19:12 UTC