Re: Resolution of post-Last Call comments on CSP 1.0 by Fred Andrews and Boris Zbarsky

What you've written below is nonsense.  Please stop trolling this mailing list.

Adam


On Wed, Oct 17, 2012 at 3:42 PM, Fred Andrews <fredandw@live.com> wrote:
>
> Viewing the DOM/script platform as being incapable to maintaining privacy
> has
> been used by the WG to exclude some consideration of privacy in the CSP
> spec.
> The WG has revised the amount of information sent in reports and I commend
> them for this.
>
> What the WG has failed to consider is the capability of the UA to maintain
> privacy,
> and it would be hard for the WG to argue that a UA could not block reports
> and
> thus the conclusion of the WG that the platform is not capable of
> maintaining
> the privacy of the security violation reports in false.  Thus I believe the
> refusal of
> the WG to consider privacy issues is a failing of the WG.
>
> The reason stated below for rejecting issue 11 may mislead some reads and I
> request that it be changed to more completely reflect the reality of the WGs
> decision.
> The that "violation reports do not disclose any information not already
> available
> to the author of the resource" is clearly false because if the author
> already knew
> the information then there would be no need to send the report.
>
> I suggest that the reality is that the WG refuses to consider privacy
> matters because
> it views the DOM/script platform as being incapable to maintaining privacy
> and would
> appreciate it if the reason could be revise along these lines for the
> record.
>
> It may be helpful to privacy advocates to understand the reasons for
> rejecting privacy
> considerations in ongoing standards so that they can ponder paths forward.
>
> cheers
> Fred
>
> ________________________________
> From: bhill@paypal-inc.com
> To: public-webappsec@w3.org; fredandw@live.com; bzbarsky@MIT.EDU
> Date: Fri, 12 Oct 2012 22:11:16 +0000
> Subject: Resolution of post-Last Call comments on CSP 1.0 by Fred Andrews
> and Boris Zbarsky
>
>
> As we prepare to move to CSP 1.0 to Candidate Recommendation, I find I have
> erred as a chair in the procedure to publicly document the WG’s resolution
> of Boris Zbarsky and Fred Andrew’s post-Last Call comments in the following
> messages:
>
>
>
> http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0013.html
>
> http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0005.html
>
>
>
> We opened issues, notified the list of such, and the resolution of these
> issues is publicly visible, but I was requested as part of CR review that
> the group document this more fully and explicitly on the list and reply
> directly to the commenters by email.
>
>
>
> The full resolution of each of these issues, as recorded in our
> teleconferences, is available at the links below, a brief summary of the
> WG’s action is included inline here, and the commenters are cc’d on this
> message.
>
>
>
> Issue 11 was re-raised to address privacy concerns about the CSP reporting
> feature.
>
> https://www.w3.org/2011/webappsec/track/issues/11
>
>
>
> The WG rejected making any changes based on Mr. Andrews’ comments as
> violation reports do not disclose any information not already available to
> the author of the resource.
>
>
>
> Issue 16 was raised to address editorial concerns about the scope and
> authority of CSP in the client execution context.
>
> https://www.w3.org/2011/webappsec/track/issues/16
>
>
>
> The WG accepted and incorporated this feedback.
>
>
>
> Issue 17 was raised to address concerns about interference by CSP with
> extensions/plugins.
>
> https://www.w3.org/2011/webappsec/track/issues/17
>
>
>
> The WG considered that this core concern was already adequately addressed by
> the current text, and more detailed non-normative guidance can be added to
> future versions as implementation experience suggests.
>
>
>
> Issue 18 was raised to address concerns about the purpose and use of CSP.
>
> https://www.w3.org/2011/webappsec/track/issues/17
>
>
>
> The WG closed this issue, choosing to make no modifications to the
> specification text, as the suggestions were outside of the chartered goals
> of the WG, and the existing text did not preclude it from being used in the
> suggested manner but such uses would be highly specific to proprietary
> technology implementations,
>
>
>
> Issue 19 was raised to address concerns about use of non-ASCII characters in
> CSP.
>
> https://www.w3.org/2011/webappsec/track/issues/19
>
>
>
> The WG closed this issue, choosing to make no modifications to the
> specification text, user agents need to translate IRIs into URIs for use in
> HTTP and everything in CSP 1.0 is defined in terms of networking  operations
> at the HTTP layer.
>
>
>
>
>
> We will hold off publishing the CR of CSP 1.0 for one week from this date
> (October 12) to give these individuals an opportunity to re-raise these
> concerns if they do not feel the WG has adequately addressed them.
>
>
>
> Thank you,
>
>
>
> Brad Hill
>
> WebAppSec WG co-chair

Received on Wednesday, 17 October 2012 23:03:13 UTC