Re: New proposed charter and chairs for WebAppSec WG

On 06/06/2011 03:41 PM, Hill, Brad wrote:
> Yes, the unofficial CSP draft ( is a major deliverable which this group would continue to advance along Recommendations Track - I didn't mean to imply otherwise and have zero desire to start over with the excellent work you've done there in both specification and implementation.

Okay, that is a relief :-)

> Re: manageability.  The philosophy of the CSP is exactly the sort of thing I'm driving at with manageability as a top-level concern, as a positive example vs. e.g., having to manage the attributes of every tag in every resource on a domain.  The value judgment is that security policy  must be available at the same scope as the security guarantees which depend on it.  So, if a single XSS can compromise the security of an entire origin's applications, it should be possible to specify and apply anti-XSS policies at the level of the entire origin.  There's a huge history of vulnerabilities to show why this is important.  

I can't argue with the assertion that a single XSS tends to compromise
the security of an entire origin, but I'm not sure that it a requirement
for global policy mechanism follows from that assertion.

> I'm aware of the discussion here, as far as headers vs/and/or in addition to, a well-known policy location, controversy about adding extra requests, and appreciate the conservative instinct there in creating a first implementation.  I included it in the charter proposal because I feel that policy scope, advertisement and deployment mechanisms are still relevant and live topics for advancement and discussion in the WG from a variety of perspectives.
> Is your opinion otherwise, that this is a settled issue and should be out of scope?
> -Brad

No, my personal preference is to leave out a global policy mechanism for
the sake of keeping CSP simpler, but I definitely wouldn't and couldn't
declare the issue settled or out of scope.  If people feel strongly that
such a mechanism should be added to CSP then I would suggest they make
the case on the list.  Adding it to the charter as you have it does,
though, seem to remove some opportunity for the counter position to be


Received on Tuesday, 7 June 2011 00:07:12 UTC