- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Wed, 12 Feb 2014 16:04:32 +0100
- To: Mike West <mkwst@google.com>
- Cc: Fred Andrews <fredandw@live.com>, Web Application Security Working Group <public-webappsec@w3.org>
* Mike West wrote: >Sure, forking the repo and editing the HTML is above and beyond. My intent >was simply to avoid the misinterpretation that the previous iteration of >this thread suffered from, not to farm out the work of editing the spec. You should give consideration to the fact that some reviewers reading this list do not know Git, GitHub, HTML editing, are not fluent enough in english to write specification prose, and might be intimidated or embarassed should they be asked to "file a pull request". In this case, it is also worth to note that http://www.w3.org/TR/CSP11/ is covered under the "W3C Document License" and "No right to create modifications or derivatives of W3C documents is granted pursuant to this license", so I would indeed consider this out of the question. It is fine to ask reviewers to sketch out text and changes that would address their concerns, and offering them the option, when available, to do so in the form of a patch or pull request or whatever -- if they like to do so -- is also okay, just do not make it difficult for reviewers to ignore such offers (and no, ignoring a request to be "more productive" and avoid "to go back and forth about" something is not trivially easy for everybody). >> >If you're referring to the discussion we had a few months ago around the >> >impact of reporting on user privacy, then I'd reassert the claim that CSP >> >reporting doesn't make anything possible that isn't already possible via >> >existing DOM APIs (MutationObserver, event listeners, delayed measurement >> >via setTimeout, etc). We can have that discussion again, if you like. >> >> That is never an acceptable response to privacy concerns. > >I disagree. "X is already available." is a pretty reasonable response to >"If we do Y, X will be available." You should consider that the concern might actually come with qualifiers like "by design" or "more reliably" or "more easily". When a browser has the option to disable third party cookie data, and a web site finds some clever way to obtain third party cookie data anyway, then that data may have been "available", but the web site might still get fined for doing something they should not. We are not talking about information security here. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Wednesday, 12 February 2014 15:05:02 UTC