W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Making it easier to deploy CSP.

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 15 Feb 2016 10:55:31 +1100
Message-ID: <CABkgnnXF8xyeEA9YjhPU2ddDoeNdGLz21qgSi0UE_yaXaK48qw@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Artur Janc <aaj@google.com>, Lukas Weichselbaum <lwe@google.com>, Michele Spagnuolo <mikispag@google.com>
On 14 February 2016 at 16:39, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> Personally, my preference for increasing complexity is in the order---web
> apps and then browsers and then standards.

The priority of constituencies would (perfectly) disagree on this point.

https://www.w3.org/TR/html-design-principles/#priority-of-constituencies

The thing I'm trying to wrap my head around is how this fits with the
general CSP design pattern.  How does adding this directive narrow the
set of things that are permitted?  It actually appears to do the
opposite.  The purpose being to give dynamically inserted scripts an
exemption.
Received on Sunday, 14 February 2016 23:56:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC