W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

RE: Resolution of post-Last Call comments on CSP 1.0 by Fred Andrews and Boris Zbarsky

From: Fred Andrews <fredandw@live.com>
Date: Wed, 17 Oct 2012 22:42:56 +0000
Message-ID: <BLU002-W196D16DCB48DE395DBF0C07AA770@phx.gbl>
To: "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>

Viewing the DOM/script platform as being incapable to maintaining privacy has
been used by the WG to exclude some consideration of privacy in the CSP spec.
The WG has revised the amount of information sent in reports and I commend
them for this.

What the WG has failed to consider is the capability of the UA to maintain privacy,
and it would be hard for the WG to argue that a UA could not block reports and
thus the conclusion of the WG that the platform is not capable of maintaining
the privacy of the security violation reports in false.  Thus I believe the refusal of
the WG to consider privacy issues is a failing of the WG.

The reason stated below for rejecting issue 11 may mislead some reads and I
request that it be changed to more completely reflect the reality of the WGs decision.
The that "violation reports do not disclose any information not already available
to the author of the resource" is clearly false because if the author already knew
the information then there would be no need to send the report.

I suggest that the reality is that the WG refuses to consider privacy matters because
it views the DOM/script platform as being incapable to maintaining privacy and would
appreciate it if the reason could be revise along these lines for the record.

It may be helpful to privacy advocates to understand the reasons for rejecting privacy
considerations in ongoing standards so that they can ponder paths forward.

cheers
Fred

From: bhill@paypal-inc.com
To: public-webappsec@w3.org; fredandw@live.com; bzbarsky@MIT.EDU
Date: Fri, 12 Oct 2012 22:11:16 +0000
Subject: Resolution of post-Last Call comments on CSP 1.0 by Fred Andrews  and Boris Zbarsky









As we prepare to move to CSP 1.0 to Candidate Recommendation, I find I have erred as a chair in the procedure to publicly document the WGs resolution of Boris Zbarsky and Fred Andrews post-Last Call comments in the following messages:
 
http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0013.html
http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0005.html
 
We opened issues, notified the list of such, and the resolution of these issues is publicly visible, but I was requested as part of CR review that the group document this more fully and explicitly on the list and reply directly to the commenters
 by email.
 
The full resolution of each of these issues, as recorded in our teleconferences, is available at the links below, a brief summary of the WGs action is included inline here, and the commenters are ccd on this message.
 
Issue 11 was re-raised to address privacy concerns about the CSP reporting feature.
https://www.w3.org/2011/webappsec/track/issues/11

 
The WG rejected making any changes based on Mr. Andrews comments as violation reports do not disclose any information not already available to the author of the resource.
 
Issue 16 was raised to address editorial concerns about the scope and authority of CSP in the client execution context.
https://www.w3.org/2011/webappsec/track/issues/16

 
The WG accepted and incorporated this feedback.
 
Issue 17 was raised to address concerns about interference by CSP with extensions/plugins.
https://www.w3.org/2011/webappsec/track/issues/17

 
The WG considered that this core concern was already adequately addressed by the current text, and more detailed non-normative guidance can be added to future versions as implementation experience suggests.
 
Issue 18 was raised to address concerns about the purpose and use of CSP.
https://www.w3.org/2011/webappsec/track/issues/17

 
The WG closed this issue, choosing to make no modifications to the specification text, as the suggestions were outside of the chartered goals of the WG, and the existing text did not preclude it from being used in the suggested manner but
 such uses would be highly specific to proprietary technology implementations,
 
Issue 19 was raised to address concerns about use of non-ASCII characters in CSP.
https://www.w3.org/2011/webappsec/track/issues/19
 
The WG closed this issue, choosing to make no modifications to the specification text, user agents need to translate IRIs into URIs for use in  HTTP and everything in CSP 1.0 is defined in terms of networking  operations at the HTTP layer.
 
 
We will hold off publishing the CR of CSP 1.0 for one week from this date (October 12) to give these individuals an opportunity to re-raise these concerns if they do not feel the WG has adequately addressed them.
 
Thank you,
 
Brad Hill
WebAppSec WG co-chair
 		 	   		  
Received on Wednesday, 17 October 2012 22:43:24 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 13:26:30 UTC