- From: Nottingham, Mark <mnotting@akamai.com>
- Date: Tue, 19 Aug 2014 02:18:33 -0500
- To: Mike West <mkwst@google.com>
- CC: WebAppSec WG <public-webappsec@w3.org>
Thanks! On 18 Aug 2014, at 5:54 pm, Mike West <mkwst@google.com> wrote: > Thanks, Mark! > > On Thu, Aug 14, 2014 at 4:27 AM, Nottingham, Mark <mnotting@akamai.com> wrote: > Based upon <http://www.w3.org/TR/2014/WD-CSP2-20140703/>. > > * Some indication of this spec's relationship to CSP1 is necessary, if only to say "It is backwards-compatible and adds the following directives..." Without that, it's very difficult for readers to judge what's changed, and whether they need to change existing deployed policies. > > Yes. Sorry I haven't taken care of this yet. Filed https://github.com/w3c/webappsec/issues/45 to make sure I remember. > > * Prefixing header field names with "CH-" is cargo cult protocol design; please stop it. See also <https://github.com/igrigorik/http-client-hints/issues/24>. It's not a "Client Hint", it's a request header field. > > Hrm. Ok. My though was that it was a hint to the server about the client's execution environment ("CSP is active on the client for this request." Filed https://github.com/w3c/webappsec/issues/46 to rename. > > * If you want any other values to be possible, you need to define extensibility for CH-CSP. Also, *WSP is not necessary there. > > CSP2 doesn't define any other values. I can't think of any other values that we'd add, but that certainly doesn't mean that none exist. What's the right way to define extensibility? > > * Having a different spelling for "referrer" as compared to the header seems to invite problems/misunderstanding... > > As Anne noted, there's enough precedent for correcting the spelling that I'd like to do so here as well. > > -mike > > -- > Mike West <mkwst@google.com> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) > -- Mark Nottingham mnot@akamai.com https://www.mnot.net/
Received on Tuesday, 19 August 2014 07:19:01 UTC