- From: Mike West <mkwst@google.com>
- Date: Tue, 3 Jun 2014 10:45:28 +0200
- To: "Oda, Terri" <terri.oda@intel.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAKXHy=f6FnUSKpQ=TvL12UM5cyP30t2g3Dk-Q0S+NZgTyVZHOQ@mail.gmail.com>
What would you expect such a table to contain? Sorry, I don't think I've understood the points around which you've heard developer confusion, Brad. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Tue, Jun 3, 2014 at 2:47 AM, Oda, Terri <terri.oda@intel.com> wrote: > On Mon, Jun 2, 2014 at 9:04 AM, Brad Hill <hillbrad@gmail.com> wrote: > >> A wider point of possible confusion here - we need to make sure >> developers understand they can't use CSP to enforce restrictions like >> sandboxing on a script file. (I've had very smart people ask me about >> this in the past - the model of what is a "resource" from the >> browser's internals is not immediately obvious to everyone.) >> (...) >> >> Among "JavaScript global environment", "document environment", >> "dedicated worker environment", "shared worker >> environment", and "worker environment", where does CSP state live and >> what loads get to influence it? Maybe a table would be helpful. >> > > +1 to the idea of a table. > > While I haven't directly gotten that question, I could definitely see it > coming up, and I know I have had similar confused questions about same > origin that seem to be answered most clearly with a table. >
Received on Tuesday, 3 June 2014 08:46:17 UTC