On Wed, Jun 8, 2016 at 2:26 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:
> I agree with the trade-off that Artur outlined. My general inclination is
> that specifications/browsers should make more flexible, low-level
> primitives and then linters, stackoverflow, frameworks to warn about unsafe
> uses or provide safe high level abstractions. But, as Artur points out, it
> is not clear this has worked for CSP. So, now this is almost a meta
> question. I am ok with whatever Mike, as editor, prefers :)
>
'unsafe-dynamic' is dead, long live 'strict-dynamic':
https://github.com/w3c/webappsec-csp/commit/3476890664ada8efe2122301e6a4901cb12b520e
1. 'unsafe' is clearly wrong.
2. If we decide that we really, really need to split the keyword later,
this name doesn't prevent us from doing so.
3. 'strict' might theoretically hint at the notion that we're dropping the
whitelist, and strictifying the policy.
4. `random.org` picked this one above the several variants Artur, et al.
came up with.
-mike