Re: CfC to publish a LCWD of CSP 1.1 from Glenn Adams on 2014-06-11 (public-webappsec@w3.org from June 2014)

From: Glenn Adams <glenn@skynav.com>
Date: Wed, 11 Jun 2014 08:37:37 -0600
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Sigbjørn Vik <sigbjorn@opera.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
Message-ID: <CACQ=j+eRTX65kgDGrTgXN6GLkvKeKqOsif3T4ZO5-5+MCJD6Dw@mail.gmail.com>

+1 for LCWD


On Wed, Jun 11, 2014 at 2:14 AM, Mike West <mkwst@google.com> wrote:

> Hello, lovely Webappsecians,
>
> Over the last week or two, I've landed some changes to the spec which (I
> hope) resolve the outstanding issues folks have raised since I last asked
> about moving to last call (in January[1]). The remaining open issues on
> both GitHub and the webappsec tracker are targeting CSP 1.2, which I'd like
> to get started on once CSP 1.1 is safely on it's way out the door.
>
> I think CSP 1.1 is ready to move on; I'd like to see if the group agrees,
> hence this Call for Consensus to move to Last Call. Best case, you all
> agree. Hooray! Worst case, this is a forcing function for all of you to
> note the things you consider blockers, which is also a good outcome. :)
>
> Please read through the current draft, up for review at
> https://w3c.github.io/webappsec/specs/content-security-policy/, and send
> comments to public-webappsec@w3.org. Positive feedback is encouraged.
>
> This CfC will end at our next scheduled call (June 18th, 2014).
>
> ---
>
> The only major issue raised between January and now was covered in the
> long thread concerning redirects and paths (and, tangentially, all of CSP's
> reporting) that started at [2]. The resolution proposed in the draft is the
> following:
>
> * After a redirect, the path component of source expressions is ignored,
> as noted in
> https://w3c.github.io/webappsec/specs/content-security-policy/#source-list-paths-and-redirects
>
> * Redirects are blocked by default: authors must opt-in to enabling
> redirects (which must still match directives' source list) via the new
> 'unsafe-redirect' source expression:
> https://github.com/w3c/webappsec/commit/d1fd42a6df58ef2a7afedcd12ae2bff76a096d1a
>
> * Reporting does not include the origin of a redirect's target, but only
> the origin of the originally requested URL.
>
> I believe this is a reasonable set of compromises for CSP 1.1, does the
> working group agree? Are there additional issues that need to be resolved
> before LC which shouldn't be punted to CSP 1.2? Now's the time to speak up!
>
> [1]:
> http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0121.html
> [2]:
> http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0036.html
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>

Received on Wednesday, 11 June 2014 14:38:25 UTC