Re: [webappsec] POLL: Getting CSP 1.1 to LCWD

On Tue, Oct 1, 2013 at 12:10 PM, Brad Hill <hillbrad@gmail.com> wrote:

> Glenn,
>
>   As I've now repeatedly mentioned, this mailing list is the primary work
> mode for this WG.  Few people here follow  the WG's bugzilla. We have
> members who make important contributions that can't join the
> teleconferences for time zone and other reasons.  We use our
> teleconferences to socialize and formalize consensus achieved primarily on
> the list, and nearly all of our agenda topics for the call are taken from
> the list.  To use everyone's time well and assist those who are not native
> English speakers, we expect that proposals and discussions on the call have
> supporting references from the mailing list for background and context.
>
>   Please bring your issues and proposals to this list for review by the
> full WG cohort, even if it's just a copy-paste from your bugzilla posts.
>  That's how everyone in the WG will see it and that's how things get added
> to our teleconference agenda.
>

Please see [1]. A link is sufficient, and copy pasting the thread in that
bug would be confusing. Please schedule adequate time in an upcoming
teleconference for me to discuss with the WG.

[1] https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357


>
> Thank you,
>
> Brad Hill
>
>
>
> On Mon, Sep 30, 2013 at 10:31 PM, Glenn Adams <glenn@skynav.com> wrote:
>
>>
>> On Mon, Sep 30, 2013 at 5:23 PM, Brad Hill <hillbrad@gmail.com> wrote:
>>
>>> As discussed on our last conference call and in a previous email, we are
>>> behind schedule on our deliverables and I would like to propose that we
>>> close the feature set for CSP 1.1.
>>>
>>> This is a formal poll to establish consensus.  Workgroup members, please
>>> take a few minutes to respond to these 6 questions to the list.
>>>
>>> 1: We should close the feature set of CSP 1.1?  Agree / Disagree
>>>
>>> 2. We should include the application of 'unsafe-eval' semantics to the
>>> CSSOM in the core CSP 1.1 feature set? Agree / Disagree
>>>
>>> 3. We should include the suborigin sandboxing proposal in the core CSP
>>> 1.1 feature set? Agree / Disagree
>>>
>>> 4. We should include the "Session Origin Security" policy in the core
>>> CSP 1.1 feature set?  Agree / Disagree
>>>
>>> 5. We should include the "cookie-scope" policy in the core CSP 1.1
>>> feature set?  Agree / Disagree
>>>
>>> Finally, we have a Formal Objection that has been registered by the Cox
>>> Communication representative Glenn Adams to reverse the currently specified
>>> behavior of allowing user-defined scripts (including from extensions).
>>>  Glenn has declined to raise his suggestions on this list after several
>>> invitations to do so, but he gave a high-level set of proposals attached to
>>> this bug:
>>>
>>> https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357
>>>
>>> 6. We should make changes to core CSP 1.1 behavior (including possibly
>>> specifying a new directive about user script) as requested by Bug 23357?
>>>  Agree / Disagree
>>>
>>
>> It is premature to ask for a poll on a bug report that has not been
>> discussed by the WG. I would suggest that a discussion occur at the next
>> scheduled teleconference. I would be happy to discuss our concerns that led
>> to filing this bug report at that time.
>>
>>
>>>
>>> Please reply to this list so your views can be "on the record".  This
>>> poll closes at the start of our next regularly scheduled teleconference on
>>> October 8th at 2pm  United States Pacific Time.
>>>
>>> Thank you,
>>>
>>> Brad Hill
>>> co-chair, WebAppSec WG
>>>
>>
>>
>