[CSP] kill or delay child-src?

Mozilla is not currently planning to implement section 7.2 child-src and
would prefer that this feature be delayed to a later edition of the CSP
spec or outright killed. Or maybe we just don't understand the
usefulness of the change. Originally this was defined to unify frame-src
and Workers but since then the rules for Workers have changed
considerably (they need to specify their own policy header). Does it
still make sense to deprecate the frame-src that existing policies are
using if the child-src directive ends up covering only frames anyway?

If we keep child-src then the spec needs to say what happens during
frame loads if a policy specifies both child-src and frame-src (and they
aren't identical).

If child-src is just an alias for frame-src it should be easy to
implement, but in that case seems a bit pointless.

-Dan Veditz

Received on Wednesday, 27 August 2014 07:49:45 UTC