Re: Comments on the Content Security Policy specification

On 30/07/09 18:51, Daniel Veditz wrote:
>>   * Remove external policy files.
>
> I'd be happy to drop those, personally. Some people have expressed
> bandwidth concerns that would be solved by a cacheable policy file.

Can we quantify that? At this stage, it's looking like most policies 
won't be significantly longer than a URL. And the extra RTT on first 
load, as Hixie says, means that big sites may well choose not to use 
them. So if removing it reduces implementation and spec complexity, why 
don't we do that? At least for the first "X-" version.

>>   * Move "inline" and "eval" keywords from "script-src" to a separate
>>     directive, so that all the -src directives have the same syntax
>
> I've argued that too and I think we agreed, although I don't see that
> reflected in the spec or on the talk page.

Yes, we did agree this.

Gerv

Received on Monday, 10 August 2009 12:01:06 UTC