- From: Jonathan Kingston <jonathan@jooped.com>
- Date: Sat, 15 Aug 2015 02:25:30 +0000
- To: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKrjaaXhMkRu5wzWrwUPLjFgMSUd6FLL5TY3vmyfEYX5=WzQYg@mail.gmail.com>
Great! I have also submitted a proposal for Ember to start using this for their applications and addons which would give an implementation: https://github.com/ember-cli/rfcs/pull/22 I'm not sure if browsers would initially have to do anything with this proposal at all (However I have ideas where it could be utilised certainly). However it would be great if we could agree on an external representation mostly so each framework ecosystem doesn't go implementing their own. My underlying goal is that most of the implementation of the Ember checking and the merging would be implemented in a stand alone package that any library could consume. On Sat, Aug 15, 2015 at 12:26 AM Brad Hill <hillbrad@gmail.com> wrote: > I like this idea a lot. > > On Fri, Aug 14, 2015 at 3:22 PM Jonathan Kingston <jonathan@jooped.com> > wrote: > >> Hi WebAppSec, >> >> I have been thinking recently about how a subresource/external library >> could declare what their policy was. >> >> My current thinking is that this would be best served by a JSON >> representation of CSP policies which would aid the publisher in being able >> to merge several policies together without having to do a full audit of a >> third party code. >> >> The developer could simply merge in the new policy whilst still remaining >> with the most stringent policy possible. Currently this step is manual and >> I hope that this would allow it to become much more automated. >> >> Here is my super draft proposal: >> https://gist.github.com/jonathanKingston/5699b440f608960dc089 >> >> Kind regards >> Jonathan >> >
Received on Saturday, 15 August 2015 02:26:08 UTC