W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Fwd: CSP formal objection.

From: Glenn Adams <glenn@skynav.com>
Date: Mon, 27 Jan 2014 11:28:31 -0700
Message-ID: <CACQ=j+eRLYMJ-5YGVrk54F3cZ80aNsQk9n4NQaeQgv2GZZ565A@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Forwarding to WG ML for wider input.

---------- Forwarded message ----------
From: Mike West <mkwst@google.com>
Date: Mon, Jan 27, 2014 at 11:25 AM
Subject: Re: CSP formal objection.
To: Glenn Adams <glenn@skynav.com>


Great, thanks for putting this together. Would you mind making this
proposal publicly to the list so we can try to come to consensus ahead of
Wednesday's call?

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Mon, Jan 27, 2014 at 10:19 AM, Glenn Adams <glenn@skynav.com> wrote:

>
>
>
> On Mon, Jan 27, 2014 at 10:10 AM, Mike West <mkwst@google.com> wrote:
>
>> Hey Glenn,
>>
>> Where do you feel we are with
>> https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357 ?  I'd like to get
>> CSP 1.1 to last call relatively soon, so I'd like to understand what you
>> think needs to happen in order for you to consider your objection dealt
>> with in a way you're happy with.
>>
>
> *Option #1*
>
> Our preference would be to simply *remove* the following text from 3.2.3:
>
> "Enforcing a policy *should not* interfere with the operation of
> user-supplied scripts such as third-party user-agent add-ons and JavaScript
> bookmarklets."
>
> *Option #2*
>
> However, absent removing this text, we could accept changing this to a
> note with a slight rewrite:
>
> "*Note:* A user agent may enforce a policy with respect to the operation
> of user-supplied scripts such as third-party user-agent add-ons and
> JavaScript bookmarklets."
>
> *Option #3 *
>
> Our actual preference would be to restate the original text as:
>
> "A user agent must enforce a policy with respect to the operation of
> user-supplied scripts such as third-party user-agent add-ons and JavaScript
> bookmarklets."
>
> But we think the group won't accept this, thus we can accept (at this
> juncture) either option #1 or #2 or some equivalent.
>
> Regards,
> Glenn (for CoxCom)
>
>
>>
>> Thanks!
>>
>> -mike
>>
>> --
>> Mike West <mkwst@google.com>
>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>>
>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
>> Registergericht und -nummer: Hamburg, HRB 86891
>> Sitz der Gesellschaft: Hamburg
>> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>>
>
>
Received on Monday, 27 January 2014 18:29:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 27 January 2014 18:29:21 UTC