RE: Proposal for CSP support

2015-02-25 Thread Chuck Lantz
cess at all. This essentially would follow suit with the idea that a different CSP policy can be applied by top level page nav. -Chuck -Original Message- From: agri...@google.com [mailto:agri...@google.com] On Behalf Of Andrew Grieve Sent: Tuesday, February 24, 2015 7:18 PM To: dev Subject

Re: Proposal for CSP support

2015-02-24 Thread Andrew Grieve
dropped either now or sometime in the future. > > -Chuck > > -Original Message- > From: agri...@google.com [mailto:agri...@google.com] On Behalf Of Andrew > Grieve > Sent: Tuesday, February 24, 2015 12:15 PM > To: dev > Subject: Re: Proposal for CSP support > > De

RE: Proposal for CSP support

2015-02-24 Thread Chuck Lantz
cy-whitelist gets dropped either now or sometime in the future. -Chuck -Original Message- From: agri...@google.com [mailto:agri...@google.com] On Behalf Of Andrew Grieve Sent: Tuesday, February 24, 2015 12:15 PM To: dev Subject: Re: Proposal for CSP support Definitely hoping that we can have a

Re: Proposal for CSP support

2015-02-24 Thread Andrew Grieve
ents like allow-navigation be introduced for iOS and > other platforms as well? > > -Chuck > > -Original Message- > From: agri...@google.com [mailto:agri...@google.com] On Behalf Of Andrew > Grieve > Sent: Tuesday, February 24, 2015 7:59 AM > To: dev > Subject

RE: Proposal for CSP support

2015-02-24 Thread Chuck Lantz
: dev Subject: Re: Proposal for CSP support I'm not sure allowing plugins to modify an apps security policy is a good idea because CSP only really works when the dev understands it and puts thought into it. A build step for CSP might be tricky because we don't actually know which .html f

Re: Proposal for CSP support

2015-02-24 Thread Andrew Grieve
; > gap > > > > in the web standard as a whole.) > > > > > > > > 3. Eval is actually a bit tougher - I know when we've look at this in > > the > > > > past it impacted JS frameworks far more than inline did. (Ex: With > > > Angular &g

Re: Proposal for CSP support

2015-02-24 Thread Michal Mocny
but it > also > > > could cause the default template to appear to "not work." If we omit > the > > > "unsafe-eval" directive in the CSP policy in the template we'll want to > > be > > > crystal clear on how to alter it. That could be so

Re: Proposal for CSP support

2015-02-24 Thread Andrew Grieve
> documentation and blog posts though. > > > > 4. I'd suggest we also consider the new "browser" platform here since > > Chrome/Firefox/IE (as of Win 10) have support. Should be "free", but I'm > > guessing the metadata tag injection you mention

Re: Proposal for CSP support

2015-02-20 Thread Jason Chase
we could > probably just do all-up rather than only for specific platforms. > > -Chuck > > -Original Message- > From: mmo...@google.com [mailto:mmo...@google.com] On Behalf Of Michal > Mocny > Sent: Thursday, February 19, 2015 2:25 PM > To: dev > Subject: Re: P

RE: Proposal for CSP support

2015-02-20 Thread Chuck Lantz
om [mailto:mmo...@google.com] On Behalf Of Michal Mocny Sent: Thursday, February 19, 2015 2:25 PM To: dev Subject: Re: Proposal for CSP support Thanks for this clear outline. Jason, I know you've been working on the short-term items for a while as part of your investigation, fixing things as you we

Re: Proposal for CSP support

2015-02-19 Thread Michal Mocny
Thanks for this clear outline. Jason, I know you've been working on the short-term items for a while as part of your investigation, fixing things as you went -- what is the current state of CSP support in platforms / plugins? What portion already has fixes (or PR for them), what work is known but