W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: [webappsec] POLL: Getting CSP 1.1 to LCWD

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 4 Oct 2013 12:47:44 -0700
Message-ID: <CAEeYn8g9UTKi7sXb0NPvg6wkzROfCXQXUPfhncm72uFjWDmJDw@mail.gmail.com>
To: Glenn Adams <glenn@skynav.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
We can always remove non-normative text at any point, provided there is
consensus.  We can continue to work towards consensus on whether to keep
the current non-normative language in Section 3.3, but that approach does
not necessitate any changes to this poll, which is only about closing the
spec to new features, requirements and normative behavior.


On Fri, Oct 4, 2013 at 12:38 PM, Glenn Adams <glenn@skynav.com> wrote:

>
> On Mon, Sep 30, 2013 at 5:23 PM, Brad Hill <hillbrad@gmail.com> wrote:
>
>> As discussed on our last conference call and in a previous email, we are
>> behind schedule on our deliverables and I would like to propose that we
>> close the feature set for CSP 1.1.
>>
>> This is a formal poll to establish consensus.  Workgroup members, please
>> take a few minutes to respond to these 6 questions to the list.
>>
>> 1: We should close the feature set of CSP 1.1?  Agree / Disagree
>>
>> 2. We should include the application of 'unsafe-eval' semantics to the
>> CSSOM in the core CSP 1.1 feature set? Agree / Disagree
>>
>> 3. We should include the suborigin sandboxing proposal in the core CSP
>> 1.1 feature set? Agree / Disagree
>>
>> 4. We should include the "Session Origin Security" policy in the core CSP
>> 1.1 feature set?  Agree / Disagree
>>
>> 5. We should include the "cookie-scope" policy in the core CSP 1.1
>> feature set?  Agree / Disagree
>>
>> Finally, we have a Formal Objection that has been registered by the Cox
>> Communication representative Glenn Adams to reverse the currently specified
>> behavior of allowing user-defined scripts (including from extensions).
>>  Glenn has declined to raise his suggestions on this list after several
>> invitations to do so, but he gave a high-level set of proposals attached to
>> this bug:
>>
>> https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357
>>
>> 6. We should make changes to core CSP 1.1 behavior (including possibly
>> specifying a new directive about user script) as requested by Bug 23357?
>>  Agree / Disagree
>>
>
> Based on discussions with Cory in this ML, you need to rephrase this
> question to read:
>
> <blockquote>
> We should remove the following text from Section 3.3 Processing Model:
>
> "Enforcing a CSP policy should not interfere with the operation of
> user-supplied scripts such as third-party user-agent add-ons and JavaScript
> bookmarklets."
> </blockquote>
>
> There is no change in core CSP 1.1 behavior here since the above language
> takes the form of a recommendation on UA vendors, and not a mandatory
> behavior.
>
>
>>
>>
>> Please reply to this list so your views can be "on the record".  This
>> poll closes at the start of our next regularly scheduled teleconference on
>> October 8th at 2pm  United States Pacific Time.
>>
>> Thank you,
>>
>> Brad Hill
>> co-chair, WebAppSec WG
>>
>
>
Received on Friday, 4 October 2013 19:48:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC