Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Versioning vs. Modularity (was Re: Comments on the Content Security Policy specification)
0 views
Skip to first unread message
Adam Barth
Oct 20, 2009, 6:27:06 PM10/20/09
to Lucas Adamski, Collin Jackson, dev-se...@lists.mozilla.org, Gervase Markham, Sid Stamm, Brandon Sterne
On Tue, Oct 20, 2009 at 3:21 PM, Lucas Adamski <lu...@mozilla.com> wrote:
> I've been a firm believer that CSP will evolve over time but that's an
> argument for versioning though, not modularity. We are as likely to have to
> modify existing behaviors as introduce whole new sets. It's also not a
> reason to split the existing functionality into modules.
> I've been a firm believer that CSP will evolve over time but that's an
> argument for versioning though, not modularity. We are as likely to have to
> modify existing behaviors as introduce whole new sets. It's also not a
> reason to split the existing functionality into modules.
I'm not sure versioning is the best approach for web technologies.
For example, versioning has been explicitly rejected for HTML,
ECMAScript, and cookies. In fact, I can't really think of a
successful web technology that uses versioning instead of
extensibility. Maybe SSL/TLS? Even there, the modern approach is to
advance the protocol with extensions (e.g., SNI).
Adam
Lucas Adamski
Oct 20, 2009, 6:45:25 PM10/20/09
to Adam Barth, Collin Jackson, dev-se...@lists.mozilla.org, Gervase Markham, Sid Stamm, Brandon Sterne
I'm not a fan of it but it's unavoidable for a security mechanism. We
already had bugs filed against CSP that would result in content
impacting behavioral changes. Not to mention that even module-centric
functionality would have to be revised to govern new APIs and new
types of attacks against existing APIs. Other option I guess is not
versioning and just breaking content periodically.
Lucas
already had bugs filed against CSP that would result in content
impacting behavioral changes. Not to mention that even module-centric
functionality would have to be revised to govern new APIs and new
types of attacks against existing APIs. Other option I guess is not
versioning and just breaking content periodically.
Lucas
On Oct 20, 2009, at 15:27, Adam Barth <abarth-...@adambarth.com>
wrote:
0 new messages