canmove, Confirmed users
637
edits
Talk:Security/CSP/Spec: Difference between revisions
→origin/host/source terminology (OPEN)
(→Distinguishing Keywords (OPEN): single quotes sound good) |
|||
| Line 72: | Line 72: | ||
PublicSuffix+1 is a bad compromise. If we assume the author means exactly and only the host they specify then the policy is clear (no hidden meanings) and can be restrictive if necessary. If the author wants your behavior they can add a wildcard, which also has an explicitly clear meaning. -dveditz | PublicSuffix+1 is a bad compromise. If we assume the author means exactly and only the host they specify then the policy is clear (no hidden meanings) and can be restrictive if necessary. If the author wants your behavior they can add a wildcard, which also has an explicitly clear meaning. -dveditz | ||
Gerv and I were talking about different things. He was not talking about treating all origin/host/source directives as applying to an entire subdomain but rather specifically about allowing the reportURI (and policyURI?) be anywhere on the "same domain" rather than strictly "same origin". I'm ok with publicSuffix+1 for the reportURI but uncomfortable with going beyond same-origin for the policyURI. But having the two directives have different restrictions is confusing. I'm open to arguments that looser restrictions on the policyURI is OK (or that we don't need the policyURI at all -- it complicates a lot of things) -dveditz | |||
== What does 'self' represent? (<span style="color:red;">CLOSED</span>)== | == What does 'self' represent? (<span style="color:red;">CLOSED</span>)== | ||