- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Wed, 15 Jul 2009 22:18:26 -0400
On Wed, Jul 15, 2009 at 9:53 PM, Jeremy Orlow<jorlow at chromium.org> wrote: > Didn't Ian, 2 messages back, suggest that vendors experiment and bring their > results back to the table at a later date? ?Or has CSP never been discussed > here? I haven't seen it discussed here, but maybe it has been and I didn't see or don't remember. Although Ian might not want to consider it for HTML 5 without vendor agreement, I'd think that a separate working group could be set up (or an existing one appropriated) to work it out with input from multiple vendors. Implement-then-document surely isn't an ideal procedure for large, complicated things like CSP. There would be a lot of wasted effort if other vendors decide they don't like the approach, and Mozilla might be more reluctant to invest in other solutions after they've put a lot of work into CSP. I might be overestimating the difficulty of implementing CSP, but the spec page is more than 6000 words, and it's not even particularly precise (at least not as precise as HTML 5 is). X-Frame-Options is about one paragraph to fully specify, and can't have been too hard to implement -- vendors making up things like that independently (or HttpOnly cookies, etc.) is a lot more reasonable.
Received on Wednesday, 15 July 2009 19:18:26 UTC