- From: Mike West <mkwst@google.com>
- Date: Mon, 20 Oct 2014 17:39:08 +0200
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brian Smith <brian@briansmith.org>
- Message-ID: <CAKXHy=dFjCK9u_6sEHdRX54UbNjsevf7YDkuyQQty-L_Rssy9Q@mail.gmail.com>
On Mon, Oct 20, 2014 at 5:09 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Mon, Oct 20, 2014 at 5:02 PM, Mike West <mkwst@google.com> wrote: > > Point taken regarding hooks from Fetch. It's not clear to me what the > best > > way to manage that sort of thing is; do you already have ideas about how > > you'd like such a hook to look? > > Something similar to what we have now. I pass you some objects, you > return a boolean. (HSTS and REFERRER are harder of course. At least as > long as we attempt to keep the hook from having side effects, which > seems like a good thing.) > I was more curious about the ordering. That is, does MIX or CSP happen first? In Chrome and Firefox, CSP happens first so that you can use CSP's reporting mechanism to diagnose mixed content issues. We should ensure that's specified somehow. As long as there's one hook per spec, that's easy. > (If you like to write small documents with lots of boilerplate over a > The boilerplate is mostly autogenerated. From a writing perspective, that's no big deal. > single document with multiple chapters, up to you I guess. I'd rather > Maybe I'm just a bad writer, but I think it'd be tough to sensibly combine something like MIX and CSP conceptually. From a Fetch perspective, I totally understand though: they both give you a "block this request or not" signal, which is what you care about. > review a single document on security-related policies. The alternative > is finding the right links and hope I got them all and that they're > all the latest, and is annoying at times.) > I think this is an argument for putting together an explainer document (Service Worker has done well with https://github.com/slightlyoff/ServiceWorker/blob/master/explainer.md) that points to the various things you might care about when evaluating a page's security policy, and linking to that document from various specs. I don't see it as an argument for joining otherwise unrelated prose into a larger document. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 20 October 2014 15:40:03 UTC