W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [UPGRADE]: What's left?

From: Mike West <mkwst@google.com>
Date: Fri, 13 Mar 2015 07:45:49 +0100
Message-ID: <CAKXHy=dLS3OmN4XJ+VCO47ca9qoUmh9=vPGsw8UaUp-_np3PcQ@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Ilya Grigorik <igrigorik@google.com>, Martin Thomson <martin.thomson@gmail.com>, Brad Hill <hillbrad@gmail.com>, Eric Mill <eric@konklone.com>, Peter Eckersley <pde@eff.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "=JeffH Hodges" <Jeff.Hodges@kingsmountain.com>, Tanvi Vyas <tanvi@mozilla.com>, Yves Lafon <ylafon@w3.org>, T Guild <ted@w3.org>, Daniel Appelquist <appelquist@gmail.com>, Alex Russell <slightlyoff@google.com>, Yoav Weiss <yoav@yoav.ws>
On Fri, Mar 13, 2015 at 4:55 AM, Mark Nottingham <mnot@mnot.net> wrote:

> Sorry, just catching up on this spec. Expect some pull requests / issues.
>

Looking forward to them!


> I don't think there's any problem layering in redirect semantics on a 200
> -- it's not pretty, but as pointed out, we already do this elsewhere.
>
> A new 2xx is an interesting idea, but probably overkill.
>
> I wouldn't use Link for this, too many nasty corner cases. E.g., what if <
> http://www.mnot.net/> sends a Link to <https://other.foo.com/bar?baz>?
>
> Just define a new header; they're cheap.


They're cheap in isolation, but expensive in aggregate. We're talking about
a signal that we'd be locking ourselves into pretty much forever. It seems
like we can deal with a little bit of flexibility around how we specify the
redirect behavior if it allows us to avoid permanent cruft in request
headers. That's the main reason I'd prefer just sending the CSP directive
in the response, and allowing the client to decide what to do with it.

That would even have cachability advantages, as we wouldn't need to vary
the response based on request headers: new browsers would see the header,
and navigate the user in response. Old clients would ignore the directive
they don't understand, and render the page.

That seems like a good outcome to me.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 13 March 2015 06:46:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC