W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Proposal: A pinning mechanism for CSP?

From: Mike West <mkwst@google.com>
Date: Fri, 30 Jan 2015 15:06:06 +0100
Message-ID: <CAKXHy=cqjnpChqx0F6vQoJ9U69GE0VuH+7Fdj0srvy_Sp1JC3g@mail.gmail.com>
To: Deian Stefan <deian@cs.stanford.edu>
Cc: yan zhu <yan@mit.edu>, Dan Veditz <dveditz@mozilla.com>, Yan Zhu <yzhu@yahoo-inc.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Frederik Braun <fbraun@mozilla.com>, Jim Manico <jim.manico@owasp.org>
On Jan 30, 2015 12:56 PM, "Mike West" <mkwst@google.com> wrote:
> For simplicity's sake, I'd vote for #2, with the option of moving to #3
in the future. That 'no-override' model leaves the majority of the power
with the _pin_ and not the _page_, which seems like the right tradeoff.

I confused myself, apologies. I vote for #2 with the option of moving to
#2a in the future. Not #3.

-mike
Received on Friday, 30 January 2015 14:06:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC