W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: CSP3: DOM API Strawman

From: Mike West <mkwst@google.com>
Date: Mon, 3 Nov 2014 14:43:35 +0100
Message-ID: <CAKXHy=eYTCWYEa3sKT8a0opAFHS1v=Kq18ACvck=yP5bAF017A@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 3, 2014 at 2:36 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 11/3/14, 8:24 AM, Mike West wrote:
>
>> I've started putting together a strawman DOM API for discussion:
>> https://w3c.github.io/webappsec/specs/content-
>> security-policy/#strawman-dom-api
>>
>
> Mike, why is SecurityPolicySource marked NoInterfaceObject?
>

I think of it as a pure virtual interface which SecurityPolicySourceURL,
SecurityPolicySourceHash, and SecurityPolicySourceNonce implement. I
suppose this doesn't actually require marking it as NoInterfaceObject,
however.


> Similar for SecurityPolicyDirective.
>

Ditto. It would be implemented by SecurityPolicySourceListDirective,
SecurityPolicyMediaTypeDirective, and SecurityPolicyToBeDeterminedDirective.


> Please don't use IDL arrays; pick a sane type for
> SecurityPolicySourceListDirective.sources and SecurityPolicy.directives.


Those are arrays only because Bikeshed is rejecting
`sequence<SecurityPolicySource>`. Conceptually, however, I hope the
strawman is at least clear as to how I'd suggest structuring things for
source list directives: SecurityPolicy holds and exposes a set of
Directives, which hold and expose a set of SecurityPolicySources.

-mike
Received on Monday, 3 November 2014 13:44:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC