W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: [webappsec] POLL: Getting CSP 1.1 to LCWD

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 1 Oct 2013 11:10:19 -0700
Message-ID: <CAEeYn8idN9mKzFZZyGNR0R9NGUpNG10nYTkU+mNXh51-DEAqtQ@mail.gmail.com>
To: Glenn Adams <glenn@skynav.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>

  As I've now repeatedly mentioned, this mailing list is the primary work
mode for this WG.  Few people here follow  the WG's bugzilla. We have
members who make important contributions that can't join the
teleconferences for time zone and other reasons.  We use our
teleconferences to socialize and formalize consensus achieved primarily on
the list, and nearly all of our agenda topics for the call are taken from
the list.  To use everyone's time well and assist those who are not native
English speakers, we expect that proposals and discussions on the call have
supporting references from the mailing list for background and context.

  Please bring your issues and proposals to this list for review by the
full WG cohort, even if it's just a copy-paste from your bugzilla posts.
 That's how everyone in the WG will see it and that's how things get added
to our teleconference agenda.

Thank you,

Brad Hill

On Mon, Sep 30, 2013 at 10:31 PM, Glenn Adams <glenn@skynav.com> wrote:

> On Mon, Sep 30, 2013 at 5:23 PM, Brad Hill <hillbrad@gmail.com> wrote:
>> As discussed on our last conference call and in a previous email, we are
>> behind schedule on our deliverables and I would like to propose that we
>> close the feature set for CSP 1.1.
>> This is a formal poll to establish consensus.  Workgroup members, please
>> take a few minutes to respond to these 6 questions to the list.
>> 1: We should close the feature set of CSP 1.1?  Agree / Disagree
>> 2. We should include the application of 'unsafe-eval' semantics to the
>> CSSOM in the core CSP 1.1 feature set? Agree / Disagree
>> 3. We should include the suborigin sandboxing proposal in the core CSP
>> 1.1 feature set? Agree / Disagree
>> 4. We should include the "Session Origin Security" policy in the core CSP
>> 1.1 feature set?  Agree / Disagree
>> 5. We should include the "cookie-scope" policy in the core CSP 1.1
>> feature set?  Agree / Disagree
>> Finally, we have a Formal Objection that has been registered by the Cox
>> Communication representative Glenn Adams to reverse the currently specified
>> behavior of allowing user-defined scripts (including from extensions).
>>  Glenn has declined to raise his suggestions on this list after several
>> invitations to do so, but he gave a high-level set of proposals attached to
>> this bug:
>> https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357
>> 6. We should make changes to core CSP 1.1 behavior (including possibly
>> specifying a new directive about user script) as requested by Bug 23357?
>>  Agree / Disagree
> It is premature to ask for a poll on a bug report that has not been
> discussed by the WG. I would suggest that a discussion occur at the next
> scheduled teleconference. I would be happy to discuss our concerns that led
> to filing this bug report at that time.
>> Please reply to this list so your views can be "on the record".  This
>> poll closes at the start of our next regularly scheduled teleconference on
>> October 8th at 2pm  United States Pacific Time.
>> Thank you,
>> Brad Hill
>> co-chair, WebAppSec WG
Received on Tuesday, 1 October 2013 18:10:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC