Re: [webappsec] Reminder: please send your preferences from Mike West on 2013-10-07 (public-webappsec@w3.org from October 2013)

From: Mike West <mkwst@google.com>
Date: Mon, 7 Oct 2013 11:31:55 +0200
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=d2Nqzj2FJfW2OfidtUbowoKHuNv2Ot=Cq-67UD_auVug@mail.gmail.com>

On Fri, Oct 4, 2013 at 2:11 AM, Brad Hill <hillbrad@gmail.com> wrote:

> This is a request again, for all WG members, to please send your response
> to this simple poll before our call on Tuesday:
>
> 1: We should close the feature set of CSP 1.1?  Agree / Disagree
>

Agree.

> 2. We should include the application of 'unsafe-eval' semantics to the
> CSSOM in the core CSP 1.1 feature set? Agree / Disagree
>

Agree (though not at all strongly).

>  3. We should include the suborigin sandboxing proposal in the core CSP
> 1.1 feature set? Agree / Disagree
>

Disagree. I believe (like =JeffH) that this should be a separate spec.

> 4. We should include the "Session Origin Security" policy in the core CSP
> 1.1 feature set?  Agree / Disagree
>

Disagree.

> 5. We should include the "cookie-scope" policy in the core CSP 1.1 feature
> set?  Agree / Disagree
>

Disagree.

> 6. We should make changes to core CSP 1.1 behavior (including possibly
> specifying a new directive about user script) as requested by Bug 23357?
>  Agree / Disagree
>

Disagree. For the record, I wouldn't be terribly put out by removing the
text regarding add-ons from section 3.3. I do not, however, see good reason
to change Blink's extension-related behavior on this point.

Also: the DOM API isn't in this poll, but is a pretty substantial open
question nonetheless. I think we have two options for 1.1:

1. Flesh out Alex Russell's (http://infrequently.org/2013/05/use-case-zero/)
and Yehuda Katz's (
http://yehudakatz.com/2013/05/24/an-extensible-approach-to-browser-security-policy/)
proposals. They are substantially more interesting than what we have at the
moment. This has been on my plate for months.

2. Kill the DOM API for the moment, and do #1 in 1.2, along with a more
complete integration with ServiceWorkers.

I'd like to do #1, but #2 is probably more realistic. I'll break this out
into a separate thread.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores

Received on Monday, 7 October 2013 09:32:44 UTC