Edge is advertising itself as a "standards based browser" and more. I'm disappointed to hear that IE/Edge has no near-term plans for CSP2. Is it fair for a standards-based browser to not have near-term plans for CSP2 or are other browsers on a more long-term plan to support CSP2 as well? Aloha, Jim On 8/13/15 1:47 PM, Crispin Cowan wrote: > > IE/Edge have no near-term plans to implement CSP2. > > *From:*Brad Hill [mailto:hillbrad@gmail.com] > *Sent:* Wednesday, August 12, 2015 3:15 PM > *To:* Mike West <mkwst@google.com>; Brian Smith <brian@briansmith.org> > *Cc:* public-webappsec@w3.org; Dan Veditz <dveditz@mozilla.com>; Wendy > Seltzer <wseltzer@w3.org> > *Subject:* Re: CfC: CSP2 to PR; deadline Aug 18th. > > Can someone from Mozilla or IE confirm that they intend to implement > child-src? As of the latest Firefox nightly, I still get console > warnings that 'child-src' is an unknown directive. > > On Tue, Aug 11, 2015 at 11:27 PM Mike West <mkwst@google.com > <mailto:mkwst@google.com>> wrote: > > On Tue, Aug 11, 2015 at 5:44 PM, Brian Smith <brian@briansmith.org > <mailto:brian@briansmith.org>> wrote: > > On Tue, Aug 11, 2015 at 3:29 AM, Mike West <mkwst@google.com > <mailto:mkwst@google.com>> wrote: > > 2. It drops the `CSP` header entirely. Chrome implemented > it, and rolled it back due to unexpected interactions with > CORS. No other browser implemented it (as far as I'm > aware?). This feature was marked as "at risk", and as it's > going to require more thought > (https://github.com/whatwg/fetch/issues/52), I'd like to > bump it to CSP3. > > The spec should at least mention the privacy problem that the > CSP request header was supposed to help websites mitigate in > its security/privacy considerations section. > > WDYT of > https://github.com/w3c/webappsec/commit/5233fe8e75fd5b155135c6eca35fb48e685c14e5? > > -mike > -- Jim Manico Global Board Member OWASP Foundation https://www.owasp.org Join me at AppSecUSA 2015!
Received on Thursday, 13 August 2015 23:57:13 UTC