Resolution of post-Last Call comments on CSP 1.0 by Fred Andrews and Boris Zbarsky from Hill, Brad on 2012-10-12 (public-webappsec@w3.org from October 2012)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Fri, 12 Oct 2012 22:11:16 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, "Fred Andrews (fredandw@live.com)" <fredandw@live.com>, "Boris Zbarsky (bzbarsky@MIT.EDU)" <bzbarsky@MIT.EDU>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E29DE52@DEN-EXDDA-S12.corp.ebay.com>

As we prepare to move to CSP 1.0 to Candidate Recommendation, I find I have erred as a chair in the procedure to publicly document the WG's resolution of Boris Zbarsky and Fred Andrew's post-Last Call comments in the following messages:

http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0013.html
http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0005.html

We opened issues, notified the list of such, and the resolution of these issues is publicly visible, but I was requested as part of CR review that the group document this more fully and explicitly on the list and reply directly to the commenters by email.

The full resolution of each of these issues, as recorded in our teleconferences, is available at the links below, a brief summary of the WG's action is included inline here, and the commenters are cc'd on this message.

Issue 11 was re-raised to address privacy concerns about the CSP reporting feature.
https://www.w3.org/2011/webappsec/track/issues/11

The WG rejected making any changes based on Mr. Andrews' comments as violation reports do not disclose any information not already available to the author of the resource.

Issue 16 was raised to address editorial concerns about the scope and authority of CSP in the client execution context.
https://www.w3.org/2011/webappsec/track/issues/16

The WG accepted and incorporated this feedback.

Issue 17 was raised to address concerns about interference by CSP with extensions/plugins.
https://www.w3.org/2011/webappsec/track/issues/17

The WG considered that this core concern was already adequately addressed by the current text, and more detailed non-normative guidance can be added to future versions as implementation experience suggests.

Issue 18 was raised to address concerns about the purpose and use of CSP.
https://www.w3.org/2011/webappsec/track/issues/17

The WG closed this issue, choosing to make no modifications to the specification text, as the suggestions were outside of the chartered goals of the WG, and the existing text did not preclude it from being used in the suggested manner but such uses would be highly specific to proprietary technology implementations,

Issue 19 was raised to address concerns about use of non-ASCII characters in CSP.
https://www.w3.org/2011/webappsec/track/issues/19

The WG closed this issue, choosing to make no modifications to the specification text, user agents need to translate IRIs into URIs for use in  HTTP and everything in CSP 1.0 is defined in terms of networking  operations at the HTTP layer.


We will hold off publishing the CR of CSP 1.0 for one week from this date (October 12) to give these individuals an opportunity to re-raise these concerns if they do not feel the WG has adequately addressed them.

Thank you,

Brad Hill
WebAppSec WG co-chair

Received on Friday, 12 October 2012 22:11:46 UTC