- From: Glenn Adams <glenn@skynav.com>
- Date: Mon, 30 Sep 2013 18:39:52 -0600
- To: Brad Hill <hillbrad@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CACQ=j+fNndekpo85C0HXpdqTgKiaqU-=y5q=s=uAVXSWDsciuQ@mail.gmail.com>
On Mon, Sep 30, 2013 at 5:23 PM, Brad Hill <hillbrad@gmail.com> wrote: > As discussed on our last conference call and in a previous email, we are > behind schedule on our deliverables and I would like to propose that we > close the feature set for CSP 1.1. > > This is a formal poll to establish consensus. Workgroup members, please > take a few minutes to respond to these 6 questions to the list. > > 1: We should close the feature set of CSP 1.1? Agree / Disagree > > 2. We should include the application of 'unsafe-eval' semantics to the > CSSOM in the core CSP 1.1 feature set? Agree / Disagree > > 3. We should include the suborigin sandboxing proposal in the core CSP 1.1 > feature set? Agree / Disagree > > 4. We should include the "Session Origin Security" policy in the core CSP > 1.1 feature set? Agree / Disagree > > 5. We should include the "cookie-scope" policy in the core CSP 1.1 feature > set? Agree / Disagree > > Finally, we have a Formal Objection that has been registered by the Cox > Communication representative Glenn Adams to reverse the currently specified > behavior of allowing user-defined scripts (including from extensions). > Glenn has declined to raise his suggestions on this list after several > invitations to do so, but he gave a high-level set of proposals attached to > this bug: > > https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357 > > I have laid out the problem in detail and proposed a number of possible solutions in the text of that bug. Doing it again here would just be repeating myself. > 6. We should make changes to core CSP 1.1 behavior (including possibly > specifying a new directive about user script) as requested by Bug 23357? > Agree / Disagree > > > Please reply to this list so your views can be "on the record". This poll > closes at the start of our next regularly scheduled teleconference on > October 8th at 2pm United States Pacific Time. > > Thank you, > > Brad Hill > co-chair, WebAppSec WG >
Received on Tuesday, 1 October 2013 00:40:41 UTC