W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

[webappsec] Call for Consensus: Content Security Policy 1.0 to Candidate Recommendation

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 4 Sep 2012 22:21:28 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E236234@DEN-EXDDA-S12.corp.ebay.com>
As discussed in our WebAppSec WG teleconference of 8/28, the editors would like to publish Content Security Policy 1.0 as a Candidate Recommendation and this is a Call for Consensus to do so:


To advance to CR, the WG must: (http://www.w3.org/2005/10/Process-20051014/tr.html#transition-reqs)

  1.  Record the group's decision to request advancement.
  2.  Provide public documentation of all changes (both substantive and minor) to the technical report since the previous step. A substantive change (whether deletion, inclusion, or other modification) is one where someone could reasonably expect that making the change would invalidate an individual's review or implementation experience. Other changes (e.g., clarifications, bug fixes, editorial repairs, and minor error corrections) are minor changes.
  3.  Report which, if any, of the Working Group's requirements for this document have changed since the previous step.
  4.  Report any changes in dependencies with other groups.
  5.  Show evidence of wide review.
  6.  Formally address<http://www.w3.org/2005/10/Process-20051014/policies.html#formal-address> all issues raised about the document since the previous step.
  7.  Report any Formal Objections<http://www.w3.org/2005/10/Process-20051014/policies.html#FormalObjection>.

This CfC satisfies requirement #1 to "record the group's decision to request advancement" and a final opportunity to raise issues or objections to the content of the document.

Additionally, we must record that we have met the WG's charter requirement that two independent implementations exist of every major feature and precisely identify any features that are "at risk".  In support of this, I encourage user agent authors in the group to please self-report on their implementation status at this time.

Positive response to this CfC is preferred and encouraged and silence will be considered as agreement with the proposal. The deadline for comments is September 11. Please send all comments to:


Following advancement to CR, we will issue a Call for Implementations which will serve as a signal to the community to begin using and honoring the standard CSP header without vendor prefixing.  After again meeting the general steps for advancement documented herein, developing a test suite to prove that two compatible and interoperable implementations exist of each feature, and review by the Advisory Committee, the report can next advance to Proposed Recommendation.

Thank you,

-Brad Hill
Received on Tuesday, 4 September 2012 22:22:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:29 UTC