On 8/21/12 7:33 PM, "Ryan Sleevi" <sleevi@google.com<mailto:sleevi@google.com>> wrote:
>>I've been trying to find a way to propose text that balances these
>>concerns, but to be honest, I don't have a good solution. Part of this
>>is what lead to the proposal of requiring CSP, since this can mitigate
>>(some of) the security concerns, but I think there's still a lot of
>>security risks that have to be talked through and discussed before we
>>go too far.
Ryan,
>From my notes at the F2F, we had attributes of type scope (including access control and temporary/permanent). These were supposed to be set at the time of creation and read-only after that. Access control attribute was meant to allow the origin to specify which sites can access/use this key (may be we need granularity of purpose too).
I have not been following the conversations much lately, but I do not see the access control attribute in the draft (temporary is there). Has it been dropped because of some reason?
Thanks,
Seetharama