On the subject of smaller nits... In section 1.2, you say: "Mitigate the risk of attacks which require a resource to be embedded in a malicious context ("Pixel Perfect", etc) by giving developers granular control over the origins which can embed a given resource." I'm not sure what you meant by "Pixel Perfect" -- are you referring to the Firefox plugin or something else? I'm betting if it wasn't immediately clear to me, it won't be clear to other readers either, and a quick web search mostly yielded a bunch of hits for some Disney movie whose plot doesn't seem to involve teaching teens about good web security policy. ;) Terri On Fri, Dec 4, 2015 at 5:31 AM, Mike West <mkwst@google.com> wrote: > Hello, webappsecians! > > At TPAC, we discussed stripping CSP3 down to be a clearer explanation of > CSP2 in terms of Fetch, along with a set of hooks that enable modular > documents to define the new stuff. I'm slowly working towards that goal. > > https://w3c.github.io/webappsec-csp/ is substantially rewritten, and I've > started working with our friends in the WHATWG to add relevant hooks to > their version of HTML and Fetch. There's still a little bit of outstanding > work to be done, but it's far enough along that it would be helpful to get > some more eyes on the document before I erroneously convince myself that > it's finished. > > Once you finish reading Brad's new UI Security draft, I'd appreciate you > taking a look at this one. :) > > -mike >Received on Monday, 11 January 2016 23:56:24 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC