On Wed, Jul 15, 2009 at 9:53 PM, Jeremy Orlow<jor...@chromium.org> wrote: > Didn't Ian, 2 messages back, suggest that vendors experiment and bring their > results back to the table at a later date? Or has CSP never been discussed > here?
I haven't seen it discussed here, but maybe it has been and I didn't see or don't remember. Although Ian might not want to consider it for HTML 5 without vendor agreement, I'd think that a separate working group could be set up (or an existing one appropriated) to work it out with input from multiple vendors. Implement-then-document surely isn't an ideal procedure for large, complicated things like CSP. There would be a lot of wasted effort if other vendors decide they don't like the approach, and Mozilla might be more reluctant to invest in other solutions after they've put a lot of work into CSP. I might be overestimating the difficulty of implementing CSP, but the spec page is more than 6000 words, and it's not even particularly precise (at least not as precise as HTML 5 is). X-Frame-Options is about one paragraph to fully specify, and can't have been too hard to implement -- vendors making up things like that independently (or HttpOnly cookies, etc.) is a lot more reasonable.