On 30/07/09 18:51, Daniel Veditz wrote:
* Remove external policy files.
I'd be happy to drop those, personally. Some people have expressed
bandwidth concerns that would be solved by a cacheable policy file.
Can we quantify that? At this stage, it's looking like most policies
won't be significantly longer than a URL. And the extra RTT on first
load, as Hixie says, means that big sites may well choose not to use
them. So if removing it reduces implementation and spec complexity, why
don't we do that? At least for the first "X-" version.
* Move "inline" and "eval" keywords from "script-src" to a separate
directive, so that all the -src directives have the same syntax
I've argued that too and I think we agreed, although I don't see that
reflected in the spec or on the talk page.
Yes, we did agree this.
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
