- From: Fred Andrews <fredandw@live.com>
- Date: Wed, 17 Oct 2012 22:42:56 +0000
- To: "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>
- Message-ID: <BLU002-W196D16DCB48DE395DBF0C07AA770@phx.gbl>
Viewing the DOM/script platform as being incapable to maintaining privacy has been used by the WG to exclude some consideration of privacy in the CSP spec. The WG has revised the amount of information sent in reports and I commend them for this. What the WG has failed to consider is the capability of the UA to maintain privacy, and it would be hard for the WG to argue that a UA could not block reports and thus the conclusion of the WG that the platform is not capable of maintaining the privacy of the security violation reports in false. Thus I believe the refusal of the WG to consider privacy issues is a failing of the WG. The reason stated below for rejecting issue 11 may mislead some reads and I request that it be changed to more completely reflect the reality of the WGs decision. The that "violation reports do not disclose any information not already available to the author of the resource" is clearly false because if the author already knew the information then there would be no need to send the report. I suggest that the reality is that the WG refuses to consider privacy matters because it views the DOM/script platform as being incapable to maintaining privacy and would appreciate it if the reason could be revise along these lines for the record. It may be helpful to privacy advocates to understand the reasons for rejecting privacy considerations in ongoing standards so that they can ponder paths forward. cheers Fred From: bhill@paypal-inc.com To: public-webappsec@w3.org; fredandw@live.com; bzbarsky@MIT.EDU Date: Fri, 12 Oct 2012 22:11:16 +0000 Subject: Resolution of post-Last Call comments on CSP 1.0 by Fred Andrews and Boris Zbarsky
Received on Wednesday, 17 October 2012 22:43:24 UTC