- From: Mike West <mkwst@google.com>
- Date: Tue, 26 Jul 2016 16:35:19 +0200
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=eZX=FmHH7nLbdPJCEDd1j1TDf4qwEOXTEMkZgKySUr5w@mail.gmail.com>
Hello, webappsecians! I've thrown https://discourse.wicg.io/t/proposal-set-origin-wide-policies-via-a-manifest/1617 up at WICG, but the folks in this venue are probably the ones from whom I'm most interested in getting feedback. https://mikewest.github.io/origin-policy/ sketches out a pinning mechanism for policies that apply to an entire origin. Among other things, it's meant as a replacement for the CSP Pinning mechanism this group just relegated to NOTE status. In a nutshell, the manifest contains a list of headers (and potentially other kinds of policy, CORS behavior, for instance) that are to be applied to each response from an origin, and the general flow is as follows: 1. The user agent navigates to an origin. 2. The server points the user agent to a manifest file along with the response. 3. The user agent blocks navigation until it retrieves the manifest. 4. The newly acquired manifest is cached, and applied to the current and subsequent fetches from the origin. I hope the examples in https://mikewest.github.io/origin-policy/#examples make the flow clear. General feedback is probably best sent to the WICG thread <https://discourse.wicg.io/t/proposal-set-origin-wide-policies-via-a-manifest/1617>. Specific feedback is probably best sent as a GitHub issue <https://github.com/mikewest/origin-policy/issues>. Thanks! Hopefully this concept isn't nuts. -mike
Received on Tuesday, 26 July 2016 14:36:09 UTC