Mike West

Naaaaaaames. Ugh. With the caveat that we should just land on something and run with it quickly (since I think Chrome is already shipping this to allow control over text...

"Environment" isn't bad... do environment settings objects span realms? That is, could we have more than one environment in a given document/worker? If not, it's a pretty reasonable match from...

I don't have a strong opinion about the solution, other than to note that Document Policy seems like a reasonable place to put a control like this one. I've asked...

I expect @otherdaniel will pick it up at some point in the somewhat near future, but we can archive it until then. Unarchival is fairly trivial. :) Thanks for cleaning...

This wouldn't be terribly difficult to do. We'd need to adjust https://html.spec.whatwg.org/#set-the-frozen-base-url to send the `nonce` value as well as the URL when checking the policy, which doesn't seem like...

@annevk: Is the adjustment to the integration of CSP and `` suggested in my comment above something you'd accept in HTML? /cc @hiroshige-g as a follow-up to your internal thread.

Yes. We'd layer this into CSP as a feature of `base-uri`, which would clear the way for the single nonce expressed in https://mikewest.github.io/csp-next/scripting-policy.html to have the same effect in the...

> This can, however, get confusing This is my main concern. > If we somehow found a satisfactory answer to this I think I'd be most comfortable ignoring CSP if...

I don't feel like I understand the proposal. For instance, wouldn't a "read-only" mode need to prevent the form submission, since that's a pretty clear mechanism for communication? Likewise, doesn't...

>> wouldn't a "read-only" mode need to prevent the form submission, since that's a pretty clear mechanism for communication > > Just to be clear, are you concerned that form...