On Wed, Aug 12, 2015 at 3:14 PM, Brad Hill <hillbrad@gmail.com> wrote: > Can someone from Mozilla or IE confirm that they intend to implement > child-src? As of the latest Firefox nightly, I still get console warnings > that 'child-src' is an unknown directive. > Dan, Tanvi, and Christoph: can you follow up on Brad's question regarding `child-src` in Firefox? I thought y'all had implemented that already; if you haven't, then we might need to re-evaluate whether or not it should be in CSP2. That would be disappointing, seeing as how Chrome has already taken the compatibility hit, but if there are good reasons that it's not in Firefox, we should chat. :) On Aug 13, 2015 17:04, "Crispin Cowan" <crispin@microsoft.com> wrote: > We are working on filling in our standards gaps, but CSP2 is not at the > top of that queue. > Hey Crispin! I hope that when putting together Edge's list of priorities you recognize that CSP2 isn't a monolith. I'd suggest that it's possible for you to pull out pieces that would have more impact than others, and implement those. For instance, I'd note that Google properties are beginning to roll out fairly pervasive support for path-based limitations, and beginning to use nonces as opposed to relying on 'unsafe-inline'. Those features might be worth spending time on supporting sooner rather than later. -mike >
Received on Monday, 17 August 2015 21:47:32 UTC