W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: Resolution of post-Last Call comments on CSP 1.0 by Fred Andrews and Boris Zbarsky

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 17 Oct 2012 16:02:13 -0700
Message-ID: <CAJE5ia8Lacc=EsfXbm9=n8m+urQaX54XCVS478rqArX7XnbqRw@mail.gmail.com>
To: Fred Andrews <fredandw@live.com>
Cc: "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>
What you've written below is nonsense.  Please stop trolling this mailing list.

Adam


On Wed, Oct 17, 2012 at 3:42 PM, Fred Andrews <fredandw@live.com> wrote:
>
> Viewing the DOM/script platform as being incapable to maintaining privacy
> has
> been used by the WG to exclude some consideration of privacy in the CSP
> spec.
> The WG has revised the amount of information sent in reports and I commend
> them for this.
>
> What the WG has failed to consider is the capability of the UA to maintain
> privacy,
> and it would be hard for the WG to argue that a UA could not block reports
> and
> thus the conclusion of the WG that the platform is not capable of
> maintaining
> the privacy of the security violation reports in false.  Thus I believe the
> refusal of
> the WG to consider privacy issues is a failing of the WG.
>
> The reason stated below for rejecting issue 11 may mislead some reads and I
> request that it be changed to more completely reflect the reality of the WGs
> decision.
> The that "violation reports do not disclose any information not already
> available
> to the author of the resource" is clearly false because if the author
> already knew
> the information then there would be no need to send the report.
>
> I suggest that the reality is that the WG refuses to consider privacy
> matters because
> it views the DOM/script platform as being incapable to maintaining privacy
> and would
> appreciate it if the reason could be revise along these lines for the
> record.
>
> It may be helpful to privacy advocates to understand the reasons for
> rejecting privacy
> considerations in ongoing standards so that they can ponder paths forward.
>
> cheers
> Fred
>
> ________________________________
> From: bhill@paypal-inc.com
> To: public-webappsec@w3.org; fredandw@live.com; bzbarsky@MIT.EDU
> Date: Fri, 12 Oct 2012 22:11:16 +0000
> Subject: Resolution of post-Last Call comments on CSP 1.0 by Fred Andrews
> and Boris Zbarsky
>
>
> As we prepare to move to CSP 1.0 to Candidate Recommendation, I find I have
> erred as a chair in the procedure to publicly document the WGs resolution
> of Boris Zbarsky and Fred Andrews post-Last Call comments in the following
> messages:
>
>
>
> http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0013.html
>
> http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0005.html
>
>
>
> We opened issues, notified the list of such, and the resolution of these
> issues is publicly visible, but I was requested as part of CR review that
> the group document this more fully and explicitly on the list and reply
> directly to the commenters by email.
>
>
>
> The full resolution of each of these issues, as recorded in our
> teleconferences, is available at the links below, a brief summary of the
> WGs action is included inline here, and the commenters are ccd on this
> message.
>
>
>
> Issue 11 was re-raised to address privacy concerns about the CSP reporting
> feature.
>
> https://www.w3.org/2011/webappsec/track/issues/11
>
>
>
> The WG rejected making any changes based on Mr. Andrews comments as
> violation reports do not disclose any information not already available to
> the author of the resource.
>
>
>
> Issue 16 was raised to address editorial concerns about the scope and
> authority of CSP in the client execution context.
>
> https://www.w3.org/2011/webappsec/track/issues/16
>
>
>
> The WG accepted and incorporated this feedback.
>
>
>
> Issue 17 was raised to address concerns about interference by CSP with
> extensions/plugins.
>
> https://www.w3.org/2011/webappsec/track/issues/17
>
>
>
> The WG considered that this core concern was already adequately addressed by
> the current text, and more detailed non-normative guidance can be added to
> future versions as implementation experience suggests.
>
>
>
> Issue 18 was raised to address concerns about the purpose and use of CSP.
>
> https://www.w3.org/2011/webappsec/track/issues/17
>
>
>
> The WG closed this issue, choosing to make no modifications to the
> specification text, as the suggestions were outside of the chartered goals
> of the WG, and the existing text did not preclude it from being used in the
> suggested manner but such uses would be highly specific to proprietary
> technology implementations,
>
>
>
> Issue 19 was raised to address concerns about use of non-ASCII characters in
> CSP.
>
> https://www.w3.org/2011/webappsec/track/issues/19
>
>
>
> The WG closed this issue, choosing to make no modifications to the
> specification text, user agents need to translate IRIs into URIs for use in
> HTTP and everything in CSP 1.0 is defined in terms of networking  operations
> at the HTTP layer.
>
>
>
>
>
> We will hold off publishing the CR of CSP 1.0 for one week from this date
> (October 12) to give these individuals an opportunity to re-raise these
> concerns if they do not feel the WG has adequately addressed them.
>
>
>
> Thank you,
>
>
>
> Brad Hill
>
> WebAppSec WG co-chair
Received on Wednesday, 17 October 2012 23:03:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 17 October 2012 23:03:13 GMT