W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: CSP3 as a polylithic set of modules?

From: Jonathan Kingston <jonathan@jooped.com>
Date: Tue, 29 Sep 2015 00:03:17 +0000
Message-ID: <CAKrjaaWuuEJoktSBmM-sj2Ct8ozLmCy5=9Xsfqi0moe6YSrpag@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>, Joel Weinberger <jww@chromium.org>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Mark Nottingham <mnot@mnot.net>, Travis Leithead <Travis.Leithead@microsoft.com>
CSSWG seem to have avoided the versioning using exactly this scheme right?

Did Brian have the full list with the three purely restrictive directives?
The UISafety directives are in a grey area somewhat. Does it matter so long
as semi-sensible merging strategies exist? (Playing devils advocate - Don't
tell Brian)

Kind regards
Jonathan

On Mon, Sep 28, 2015 at 11:09 PM Brian Smith <brian@briansmith.org> wrote:

> On Mon, Sep 28, 2015 at 11:44 AM, Joel Weinberger <jww@chromium.org>
> wrote:
>
>> While I like the maintainability of this proposal, it seems like it might
>> complicated the versioning that Dev has proposed in the past (that I really
>> like). Namely, for each sub-spec, you'd have to tie it into a specific CSP
>> version you'd like it to be in, and tracking all of that information down
>> across specs might be difficult. But if we want versioning, maybe it's
>> still worth figuring out how to do it well across distributed chunks like
>> this.
>>
>
> I see Mike's proposal as a way towards avoiding versioning. I think it is
> worth trying to avoid versioning. It's not clear what issues that people
> are proposing to solve with versioning, though.
>
> Cheers,
> Brian
>
Received on Tuesday, 29 September 2015 00:03:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC