Module granularity (Re: Comments on the Content Security Policy specification)

[Adam Barth]

On Tue, Oct 20, 2009 at 3:35 PM, Lucas Adamski <lu...@mozilla.com> wrote:
> The problem with modules I see is they will complicate the model in the long
> run, as the APIs they govern will not be mutually exlusive.  What if 3
> different modules dictate image loading behaviors?  What if the given user
> agent in a scenario does not implement the module where the most restrictive
> of the 3 policies is specified?

This seems like a question of granularity. Presumably a decomposition
that has three modules competing to control image loads is too
granular. There seem to be some clear wins to modularizing the
current spec. For example, the reporting infrastructure seems
independent of whether you can block XMLHttpRequest targets.

Adam

[Lucas Adamski]

The reporting infrastructure does seem pretty easy to modularize but
it's also a bit exceptional as it doesn't drive any actual content
behaviors. I'm going to have to chew on this some more but my primary
concern remains that this approach could increase complexity and
reduce reliability in the long run (esp. when combined with fragmented
implementation by user agents).
Lucas.

On Oct 20, 2009, at 15:49, Adam Barth <abarth-...@adambarth.com>
wrote: