Re: Call for Consensus: Content Security Policy 1.0 to Candidate Recommendation

On Tue, Sep 4, 2012 at 10:21 PM, Hill, Brad <> wrote:
>As discussed in our WebAppSec WG teleconference of 8/28, the editors would like to publish Content Security
> Policy 1.0 as a Candidate Recommendation and this is a Call for Consensus to do so:
> To advance to CR, the WG must: (
>   1.  Record the group's decision to request advancement.
>   2.  Provide public documentation of all changes (both substantive and minor) to the technical report since the
> previous step. A substantive change (whether deletion, inclusion, or other modification) is one where someone
> could reasonably expect that making the change would invalidate an individual's review or implementation
> experience. Other changes (e.g., clarifications, bug fixes, editorial repairs, and minor error corrections) are minor
> changes.

There have been two changes, both of which seem minor:

A) <>.
This change just updated the text in the "Status of this Document" to
reflect that the IETF working group is no longer working on

B) <>.
This change just fixed a bug in the spec's handling of

>   3.  Report which, if any, of the Working Group's requirements for this document have changed since the
> previous step.
>   4.  Report any changes in dependencies with other groups.
>   5.  Show evidence of wide review.
>   6.  Formally address<> all issues
> raised about the document since the previous step.
>   7.  Report any Formal Objections<>.
> This CfC satisfies requirement #1 to "record the group's decision to request advancement" and a final opportunity to
> raise issues or objections to the content of the document.
> Additionally, we must record that we have met the WG's charter requirement that two independent implementations
> exist of every major feature and precisely identify any features that are "at risk".

Which requirement in the charter are you looking at?  The charter
<> says:

To advance to Proposed Recommendation, each specification is expected
to have two independent implementations of each feature described in
the specification.

We're talking about advancing the document to Candidate
Recommendation, not Proposed Recommendation.  We'll hit this
requirement at the next document maturity.

> In support of this, I encourage user
> agent authors in the group to please self-report on their implementation status at this time.

WebKit has a complete implementation of Content Security Policy 1.0.

> Positive response to this CfC is preferred and encouraged and silence will be considered as agreement with the
> proposal. The deadline for comments is September 11. Please send all comments to:
> Following advancement to CR, we will issue a Call for Implementations which will serve as a signal to the community
> to begin using and honoring the standard CSP header without vendor prefixing.  After again meeting the general
> steps for advancement documented herein, developing a test suite to prove that two compatible and interoperable
> implementations exist of each feature, and review by the Advisory Committee, the report can next advance to
> Proposed Recommendation.

I support advancing Content Security Policy 1.0 to Candidate Recommendation.


Received on Thursday, 6 September 2012 19:02:27 UTC