- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 6 Sep 2012 12:01:23 -0700
- To: public-webappsec@w3.org
On Tue, Sep 4, 2012 at 10:21 PM, Hill, Brad <bhill@paypal-inc.com> wrote: >As discussed in our WebAppSec WG teleconference of 8/28, the editors would like to publish Content Security > Policy 1.0 as a Candidate Recommendation and this is a Call for Consensus to do so: > > http://www.w3.org/TR/2012/WD-CSP-20120710/ > > To advance to CR, the WG must: (http://www.w3.org/2005/10/Process-20051014/tr.html#transition-reqs) > > 1. Record the group's decision to request advancement. > 2. Provide public documentation of all changes (both substantive and minor) to the technical report since the > previous step. A substantive change (whether deletion, inclusion, or other modification) is one where someone > could reasonably expect that making the change would invalidate an individual's review or implementation > experience. Other changes (e.g., clarifications, bug fixes, editorial repairs, and minor error corrections) are minor > changes. There have been two changes, both of which seem minor: A) <http://dvcs.w3.org/hg/content-security-policy/rev/9e865ab225e3>. This change just updated the text in the "Status of this Document" to reflect that the IETF working group is no longer working on draft-gondrom-websec-csp-header. B) <http://dvcs.w3.org/hg/content-security-policy/rev/a2cca933c0f1>. This change just fixed a bug in the spec's handling of ext-host-source. > 3. Report which, if any, of the Working Group's requirements for this document have changed since the > previous step. > 4. Report any changes in dependencies with other groups. > 5. Show evidence of wide review. > 6. Formally address<http://www.w3.org/2005/10/Process-20051014/policies.html#formal-address> all issues > raised about the document since the previous step. > 7. Report any Formal Objections<http://www.w3.org/2005/10/Process-20051014/policies.html#FormalObjection>. > > This CfC satisfies requirement #1 to "record the group's decision to request advancement" and a final opportunity to > raise issues or objections to the content of the document. > > Additionally, we must record that we have met the WG's charter requirement that two independent implementations > exist of every major feature and precisely identify any features that are "at risk". Which requirement in the charter are you looking at? The charter <http://www.w3.org/2011/08/appsecwg-charter.html> says: ---8<--- To advance to Proposed Recommendation, each specification is expected to have two independent implementations of each feature described in the specification. --->8--- We're talking about advancing the document to Candidate Recommendation, not Proposed Recommendation. We'll hit this requirement at the next document maturity. > In support of this, I encourage user > agent authors in the group to please self-report on their implementation status at this time. WebKit has a complete implementation of Content Security Policy 1.0. > Positive response to this CfC is preferred and encouraged and silence will be considered as agreement with the > proposal. The deadline for comments is September 11. Please send all comments to: > > public-webappsec@w3.org<mailto:public-webappsec@w3.org> > > Following advancement to CR, we will issue a Call for Implementations which will serve as a signal to the community > to begin using and honoring the standard CSP header without vendor prefixing. After again meeting the general > steps for advancement documented herein, developing a test suite to prove that two compatible and interoperable > implementations exist of each feature, and review by the Advisory Committee, the report can next advance to > Proposed Recommendation. I support advancing Content Security Policy 1.0 to Candidate Recommendation. Thanks! Adam
Received on Thursday, 6 September 2012 19:02:27 UTC