- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 8 Sep 2016 08:50:25 -0700
- To: Mike West <mkwst@google.com>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, Artur Janc <aaj@google.com>, "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C Web App Security WG <public-webappsec@w3.org>, Craig Francis <craig.francis@gmail.com>
On 9/8/16 6:10 AM, Mike West wrote: > What syntax issue do we need to discuss? If there are remaining syntax > questions, we should resolve them quickly, as Chrome is shipping what's > currently in the spec, and Google sites are beginning to rely on the > currently specified behavior. :) I'm uncomfortable with the multilayered "ignore this if that" within a single directive; it will be especially confusing to developers to have an ignored whitelist of sites. It would be clearer, and more flexible in the future if we need to add options or restrictions on 'strict-dynamic', to have a separate directive which overrides 'script-src' in UAs that understand it (as script-src itself overrides default-src). Because we may want other dynamic types in the future, and to help indicate what it's overriding, we would want to rename it to 'dynamic-script' or something. -Dan Veditz
Received on Thursday, 8 September 2016 15:50:57 UTC