On Thu, Nov 13, 2014 at 7:11 PM, Brian Smith <brian@briansmith.org> wrote:
> Mike West <mkwst@google.com> wrote:
> > I think this is a pretty reasonable concept to add to MIX.
> >
> > It's not clear to me whether it should be the default behavior, or
> whether
> > it should be opted-into (similar to `sandbox`).
>
> Obviously, if it cannot be done by default, then it could be added as
> a sandbox directive. But, if we can avoid adding any new mechanism,
> then that is greatly preferable, for simplicity's sake.
>
> Cheers,
> Brian
>
So, that's a lot of hypotheticals. My gut is that they're correct - but we
need empirical data, either due to a browser implementing it ("Damn the
torpedoes!") or through telemetry/metrics.
Since I like security more than complexity, consider it a +1 to spec'ing
it, and then we revisit during whenever that point during the revised W3C
process where people actually implement and discover it might need to be
opt-in for some time before (eventually) becoming default.