Re: new CSP draft. from Jonathan Kingston on 2016-01-10 (public-webappsec@w3.org from January 2016)

From: Jonathan Kingston <jonathan@jooped.co.uk>
Date: Sun, 10 Jan 2016 02:32:33 +0000
To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKrjaaUHCzHRr5NcxHDJSP7ERh-xwyCJa7S0-1h6EL=iHxCYSg@mail.gmail.com>

Hey all and Mike,

I found a few nits after picking it apart on the plane, I'll raise one bug
for them as all minor.

Parts that I can remember from picking through that stuck out:

- Policy list and CSP list seem to be used interchangeably is that correct,
they can be unified? (Granted one is a serialised list but source list and
policies follow that trend)

- It's also not clear to me when '2.1.2. Parse a serialized policy list'
would ever be used.

- '2.1.1. Parse a serialized policy' mentions the following:
"If policy’s directive set contains a directive whose name is directive
name, skip the remaining substeps and continue to the next item."
This isn't clear to me on the intent of why it was skipped. Is it that the
value was unparsable or the name wasn't matched?

- 'Issue 1: Is this kind of thing specified anywhere? I didn’t see anything
that looked useful in [ES2015].'
Nope this is actually non standard, I have always wanted standardised error
codes etc that are unique and not impacted by user language. I'm happy to
start a draft strawman proposal if you would like that?

- 'The defined directives fall into one of several categories:' - this
probably needs a issue by it to define those categories.

Kind regards
Jonathan

On Fri, Dec 4, 2015 at 1:33 PM Mike West <mkwst@google.com> wrote:

> Hello, webappsecians!
>
> At TPAC, we discussed stripping CSP3 down to be a clearer explanation of
> CSP2 in terms of Fetch, along with a set of hooks that enable modular
> documents to define the new stuff. I'm slowly working towards that goal.
>
> https://w3c.github.io/webappsec-csp/ is substantially rewritten, and I've
> started working with our friends in the WHATWG to add relevant hooks to
> their version of HTML and Fetch. There's still a little bit of outstanding
> work to be done, but it's far enough along that it would be helpful to get
> some more eyes on the document before I erroneously convince myself that
> it's finished.
>
> Once you finish reading Brad's new UI Security draft, I'd appreciate you
> taking a look at this one. :)
>
> -mike
>

Received on Sunday, 10 January 2016 02:33:12 UTC