- From: Carson, Cory <Cory.Carson@boeing.com>
- Date: Mon, 7 Oct 2013 22:01:45 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
From: Brad Hill [mailto:hillbrad@gmail.com] Sent: Thursday, October 03, 2013 5:12 PM To: public-webappsec@w3.org Subject: [webappsec] Reminder: please send your preferences This is a request again, for all WG members, to please send your response to this simple poll before our call on Tuesday: 1: We should close the feature set of CSP 1.1? Agree / Disagree Abstain 2. We should include the application of 'unsafe-eval' semantics to the CSSOM in the core CSP 1.1 feature set? Agree / Disagree Agree 3. We should include the suborigin sandboxing proposal in the core CSP 1.1 feature set? Agree / Disagree Disagree 4. We should include the "Session Origin Security" policy in the core CSP 1.1 feature set? Agree / Disagree Disagree 5. We should include the "cookie-scope" policy in the core CSP 1.1 feature set? Agree / Disagree Disagree 6. We should make changes to core CSP 1.1 behavior (including possibly specifying a new directive about user script) as requested by Bug 23357? Agree / Disagree Disagree --- Boeing is interested in suborigin sandboxing and "cookie-scope" because they address security concerns of large multi-component web applications. However, it is Boeing's opinion that 3 and 5 be incubated longer before Boeing backs them. Eg, perhaps there is a way to adjust suborigin sandboxing to include 'cookie-scope's goals?
Received on Monday, 7 October 2013 22:02:14 UTC