We're accepting Content Security Policies via either an HTTP header or meta element, and there's discussion in the WG regarding the way we parse/handle the header's content. `report-uri`, for instance, might or might not be something we want to support in the meta element. Likewise, we almost certainly don't want to suport `reflected-xss` in the meta element.
To support those sorts of distinction, we should teach the CSP object about the source of the policy. This is probably as simple as adding an enum. I'll take a look today.
Ugh. The actual change here is very straightforward, but things end up being piped through eighty-three levels of worker context shifts*, and back and forth between Chromium and WebKit. Not pretty.
I'd also end up requiring a new `deprecatedSource` method to match `deprecatedType`. I don't really want to add an instantly deprecated method. :)
I'm not sure the distinction is even relevant for workers (at least, the directives being discussed right now don't seem relevant). I'll throw up a patch that papers over the problem with a Worker source, just to get a conversation going.
*this number might be slightly exaggerated.
Created attachment 175951 [details]
Friendly ping. I'm hopeful that we can either avoid piping this through workers, or find a mechanism that lets us do it without tons of busywork. :)
This seems too speculative at the moment. We don't know how this conversation is going to pan out in the working group. If we end up needing this flag, this isn't an unreasonably way to wire it in, but it's not clear to me whether we're going to need it.
(In reply to comment #4)
> This seems too speculative at the moment. We don't know how this conversation is going to pan out in the working group. If we end up needing this flag, this isn't an unreasonably way to wire it in, but it's not clear to me whether we're going to need it.
If meta or html@policy or whatever remains in 1.1, we'll quite likely need something along these lines for 'reflected-xss' (assuming that remains in 1.1 as well). *shrug* I'll mark this LATER for the moment, and come back to it when it's more pressing.
Comment on attachment 175951 [details]
Cleared review? from attachment 175951 [details] so that this bug does not appear in http://webkit.org/pending-review. If you would like this patch reviewed, please attach it to a new bug (or re-open this bug before marking it for review again).