- From: Nottingham, Mark <mnotting@akamai.com>
- Date: Wed, 13 Aug 2014 21:27:07 -0500
- To: WebAppSec WG <public-webappsec@w3.org>
Based upon <http://www.w3.org/TR/2014/WD-CSP2-20140703/>. * Some indication of this spec's relationship to CSP1 is necessary, if only to say "It is backwards-compatible and adds the following directives..." Without that, it's very difficult for readers to judge what's changed, and whether they need to change existing deployed policies. * Prefixing header field names with "CH-" is cargo cult protocol design; please stop it. See also <https://github.com/igrigorik/http-client-hints/issues/24>. It's not a "Client Hint", it's a request header field. * If you want any other values to be possible, you need to define extensibility for CH-CSP. Also, *WSP is not necessary there. * See <http://httpwg.github.io/specs/rfc7231.html#considerations.for.new.header.fields> for a list of other things to think about / document when creating new header fields. * Having a different spelling for "referrer" as compared to the header seems to invite problems/misunderstanding... Cheers, -- Mark Nottingham mnot@akamai.com https://www.mnot.net/
Received on Thursday, 14 August 2014 02:27:40 UTC