Re: Comments on CSP Level 2

Thanks, Mark!

On Thu, Aug 14, 2014 at 4:27 AM, Nottingham, Mark <>

> Based upon <>.
> * Some indication of this spec's relationship to CSP1 is necessary, if
> only to say "It is backwards-compatible and adds the following
> directives..."  Without that, it's very difficult for readers to judge
> what's changed, and whether they need to change existing deployed policies.

Yes. Sorry I haven't taken care of this yet. Filed to make sure I remember.

> * Prefixing header field names with "CH-" is cargo cult protocol design;
> please stop it. See also <
>>. It's not a
> "Client Hint", it's a request header field.

Hrm. Ok. My though was that it was a hint to the server about the client's
execution environment ("CSP is active on the client for this request."
Filed to rename.

> * If you want any other values to be possible, you need to define
> extensibility for CH-CSP. Also, *WSP is not necessary there.

CSP2 doesn't define any other values. I can't think of any other values
that we'd add, but that certainly doesn't mean that none exist. What's the
right way to define extensibility?

> * Having a different spelling for "referrer" as compared to the header
> seems to invite problems/misunderstanding...

As Anne noted, there's enough precedent for correcting the spelling that
I'd like to do so here as well.


Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Monday, 18 August 2014 07:55:21 UTC