canmove, Confirmed users
1,537
edits
Talk:Security/CSP/Spec: Difference between revisions
→origin/host/source terminology (OPEN)
| Line 65: | Line 65: | ||
-[[User:Sidstamm|Sid]] | -[[User:Sidstamm|Sid]] | ||
== origin/host/source terminology (<span style="color: | == origin/host/source terminology (<span style="color:red;">CLOSED</span>)== | ||
Rather than using the term "host" and "source" would it be more accurate to replace all instances with "HTML5 Origin"? This term has a defined meaning and would remove ambiguity in cases (like report-uri) which are currently defined as both "same host" and "same source". -EricLaw | Rather than using the term "host" and "source" would it be more accurate to replace all instances with "HTML5 Origin"? This term has a defined meaning and would remove ambiguity in cases (like report-uri) which are currently defined as both "same host" and "same source". -EricLaw | ||
| Line 74: | Line 74: | ||
Gerv and I were talking about different things. He was not talking about treating all origin/host/source directives as applying to an entire subdomain but rather specifically about allowing the reportURI (and policyURI?) be anywhere on the "same domain" rather than strictly "same origin". I'm ok with publicSuffix+1 for the reportURI but uncomfortable with going beyond same-origin for the policyURI. But having the two directives have different restrictions is confusing. I'm open to arguments that looser restrictions on the policyURI is OK (or that we don't need the policyURI at all -- it complicates a lot of things) -dveditz | Gerv and I were talking about different things. He was not talking about treating all origin/host/source directives as applying to an entire subdomain but rather specifically about allowing the reportURI (and policyURI?) be anywhere on the "same domain" rather than strictly "same origin". I'm ok with publicSuffix+1 for the reportURI but uncomfortable with going beyond same-origin for the policyURI. But having the two directives have different restrictions is confusing. I'm open to arguments that looser restrictions on the policyURI is OK (or that we don't need the policyURI at all -- it complicates a lot of things) -dveditz | ||
Resolution: Requiring "same origin" for policyURI (scheme/host/port), and Public Suffix +1 for reportURI. --[[User:Sidstamm|Sid]] | |||
== What does 'self' represent? (<span style="color:red;">CLOSED</span>)== | == What does 'self' represent? (<span style="color:red;">CLOSED</span>)== | ||