Re: Resolution of post-Last Call comments on CSP 1.0 by Fred Andrews and Boris Zbarsky

Dear Adam, Brad, 

having specified a mechanism of policy violation reporting without 
having considered privacy is a problem. 

The current specification says in 4.11:
==
The report-uri directive specifies a URI to which the user agent 
sends reports about policy violation.
==

It goes on saying: 
==
To send a violation report, the user agent must use an algorithm 
equivalent to the following:
==

The following algorithm disregards the user using the web 
application. It would be very easy to add a step that allows a 
decision by the user to send the report or not. This is what current 
operating systems do and I look forward to an argument on why this 
is omitted here. 

In light of DRM systems in Apps and the current discussions in media 
about mobile applications revealing data about the user, requiring a 
response on privacy is far from trolling. 

The issue may be big or not and I'm willing to participate in the 
TPAC session organized by Brad. But "phoning home" without the user 
knowing is a serious issue that is very specific to CSP. Can you 
elaborate how this is resolved in CSP other than "this is an 
implementation question"? IMHO because CSP creates a "phone home" 
feature, it should also address the consequences. 

Best, 

 Rigo Wenning
 W3C Privacy Activity Lead

On Wednesday 17 October 2012 16:02:13 Adam Barth wrote:
> What you've written below is nonsense.  Please stop trolling this
> mailing list.

Received on Thursday, 18 October 2012 10:37:11 UTC