- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 17 Oct 2012 16:02:13 -0700
- To: Fred Andrews <fredandw@live.com>
- Cc: "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>
What you've written below is nonsense. Please stop trolling this mailing list. Adam On Wed, Oct 17, 2012 at 3:42 PM, Fred Andrews <fredandw@live.com> wrote: > > Viewing the DOM/script platform as being incapable to maintaining privacy > has > been used by the WG to exclude some consideration of privacy in the CSP > spec. > The WG has revised the amount of information sent in reports and I commend > them for this. > > What the WG has failed to consider is the capability of the UA to maintain > privacy, > and it would be hard for the WG to argue that a UA could not block reports > and > thus the conclusion of the WG that the platform is not capable of > maintaining > the privacy of the security violation reports in false. Thus I believe the > refusal of > the WG to consider privacy issues is a failing of the WG. > > The reason stated below for rejecting issue 11 may mislead some reads and I > request that it be changed to more completely reflect the reality of the WGs > decision. > The that "violation reports do not disclose any information not already > available > to the author of the resource" is clearly false because if the author > already knew > the information then there would be no need to send the report. > > I suggest that the reality is that the WG refuses to consider privacy > matters because > it views the DOM/script platform as being incapable to maintaining privacy > and would > appreciate it if the reason could be revise along these lines for the > record. > > It may be helpful to privacy advocates to understand the reasons for > rejecting privacy > considerations in ongoing standards so that they can ponder paths forward. > > cheers > Fred > > ________________________________ > From: bhill@paypal-inc.com > To: public-webappsec@w3.org; fredandw@live.com; bzbarsky@MIT.EDU > Date: Fri, 12 Oct 2012 22:11:16 +0000 > Subject: Resolution of post-Last Call comments on CSP 1.0 by Fred Andrews > and Boris Zbarsky > > > As we prepare to move to CSP 1.0 to Candidate Recommendation, I find I have > erred as a chair in the procedure to publicly document the WG’s resolution > of Boris Zbarsky and Fred Andrew’s post-Last Call comments in the following > messages: > > > > http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0013.html > > http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0005.html > > > > We opened issues, notified the list of such, and the resolution of these > issues is publicly visible, but I was requested as part of CR review that > the group document this more fully and explicitly on the list and reply > directly to the commenters by email. > > > > The full resolution of each of these issues, as recorded in our > teleconferences, is available at the links below, a brief summary of the > WG’s action is included inline here, and the commenters are cc’d on this > message. > > > > Issue 11 was re-raised to address privacy concerns about the CSP reporting > feature. > > https://www.w3.org/2011/webappsec/track/issues/11 > > > > The WG rejected making any changes based on Mr. Andrews’ comments as > violation reports do not disclose any information not already available to > the author of the resource. > > > > Issue 16 was raised to address editorial concerns about the scope and > authority of CSP in the client execution context. > > https://www.w3.org/2011/webappsec/track/issues/16 > > > > The WG accepted and incorporated this feedback. > > > > Issue 17 was raised to address concerns about interference by CSP with > extensions/plugins. > > https://www.w3.org/2011/webappsec/track/issues/17 > > > > The WG considered that this core concern was already adequately addressed by > the current text, and more detailed non-normative guidance can be added to > future versions as implementation experience suggests. > > > > Issue 18 was raised to address concerns about the purpose and use of CSP. > > https://www.w3.org/2011/webappsec/track/issues/17 > > > > The WG closed this issue, choosing to make no modifications to the > specification text, as the suggestions were outside of the chartered goals > of the WG, and the existing text did not preclude it from being used in the > suggested manner but such uses would be highly specific to proprietary > technology implementations, > > > > Issue 19 was raised to address concerns about use of non-ASCII characters in > CSP. > > https://www.w3.org/2011/webappsec/track/issues/19 > > > > The WG closed this issue, choosing to make no modifications to the > specification text, user agents need to translate IRIs into URIs for use in > HTTP and everything in CSP 1.0 is defined in terms of networking operations > at the HTTP layer. > > > > > > We will hold off publishing the CR of CSP 1.0 for one week from this date > (October 12) to give these individuals an opportunity to re-raise these > concerns if they do not feel the WG has adequately addressed them. > > > > Thank you, > > > > Brad Hill > > WebAppSec WG co-chair
Received on Wednesday, 17 October 2012 23:03:13 UTC