Re: Call for Consensus: Content Security Policy 1.0 to Candidate Recommendation

On Tue, Sep 4, 2012 at 10:21 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
>As discussed in our WebAppSec WG teleconference of 8/28, the editors would like to publish Content Security
> Policy 1.0 as a Candidate Recommendation and this is a Call for Consensus to do so:
>
> http://www.w3.org/TR/2012/WD-CSP-20120710/
>
> To advance to CR, the WG must: (http://www.w3.org/2005/10/Process-20051014/tr.html#transition-reqs)
>
>   1.  Record the group's decision to request advancement.
>   2.  Provide public documentation of all changes (both substantive and minor) to the technical report since the
> previous step. A substantive change (whether deletion, inclusion, or other modification) is one where someone
> could reasonably expect that making the change would invalidate an individual's review or implementation
> experience. Other changes (e.g., clarifications, bug fixes, editorial repairs, and minor error corrections) are minor
> changes.

There have been two changes, both of which seem minor:

A) <http://dvcs.w3.org/hg/content-security-policy/rev/9e865ab225e3>.
This change just updated the text in the "Status of this Document" to
reflect that the IETF working group is no longer working on
draft-gondrom-websec-csp-header.

B) <http://dvcs.w3.org/hg/content-security-policy/rev/a2cca933c0f1>.
This change just fixed a bug in the spec's handling of
ext-host-source.

>   3.  Report which, if any, of the Working Group's requirements for this document have changed since the
> previous step.
>   4.  Report any changes in dependencies with other groups.
>   5.  Show evidence of wide review.
>   6.  Formally address<http://www.w3.org/2005/10/Process-20051014/policies.html#formal-address> all issues
> raised about the document since the previous step.
>   7.  Report any Formal Objections<http://www.w3.org/2005/10/Process-20051014/policies.html#FormalObjection>.
>
> This CfC satisfies requirement #1 to "record the group's decision to request advancement" and a final opportunity to
> raise issues or objections to the content of the document.
>
> Additionally, we must record that we have met the WG's charter requirement that two independent implementations
> exist of every major feature and precisely identify any features that are "at risk".

Which requirement in the charter are you looking at?  The charter
<http://www.w3.org/2011/08/appsecwg-charter.html> says:

---8<---
To advance to Proposed Recommendation, each specification is expected
to have two independent implementations of each feature described in
the specification.
--->8---

We're talking about advancing the document to Candidate
Recommendation, not Proposed Recommendation.  We'll hit this
requirement at the next document maturity.

> In support of this, I encourage user
> agent authors in the group to please self-report on their implementation status at this time.

WebKit has a complete implementation of Content Security Policy 1.0.

> Positive response to this CfC is preferred and encouraged and silence will be considered as agreement with the
> proposal. The deadline for comments is September 11. Please send all comments to:
>
> public-webappsec@w3.org<mailto:public-webappsec@w3.org>
>
> Following advancement to CR, we will issue a Call for Implementations which will serve as a signal to the community
> to begin using and honoring the standard CSP header without vendor prefixing.  After again meeting the general
> steps for advancement documented herein, developing a test suite to prove that two compatible and interoperable
> implementations exist of each feature, and review by the Advisory Committee, the report can next advance to
> Proposed Recommendation.

I support advancing Content Security Policy 1.0 to Candidate Recommendation.

Thanks!
Adam

Received on Thursday, 6 September 2012 19:02:27 UTC