- From: Garrett Robinson <grobinson@mozilla.com>
- Date: Tue, 08 Oct 2013 14:00:12 -0700
- To: public-webappsec@w3.org
On 10/01/2013 01:23 AM, Brad Hill wrote: > 1: We should close the feature set of CSP 1.1? Agree / Disagree Agree. > 2. We should include the application of 'unsafe-eval' semantics to the > CSSOM in the core CSP 1.1 feature set? Agree / Disagree > Disagree. > 3. We should include the suborigin sandboxing proposal in the core CSP > 1.1 feature set? Agree / Disagree > Disagree (not strongly) > 4. We should include the "Session Origin Security" policy in the core > CSP 1.1 feature set? Agree / Disagree > Disagree (not strongly) > 5. We should include the "cookie-scope" policy in the core CSP 1.1 > feature set? Agree / Disagree > Disagree (not strongly) I think 3, 4, 5 are all different attempts to address the same or similar problems. We should attempt to synthesize them, or pick a winner. > Finally, we have a Formal Objection that has been registered by the Cox > Communication representative Glenn Adams to reverse the currently > specified behavior of allowing user-defined scripts (including from > extensions). Glenn has declined to raise his suggestions on this list > after several invitations to do so, but he gave a high-level set of > proposals attached to this bug: > > https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357 > > 6. We should make changes to core CSP 1.1 behavior (including possibly > specifying a new directive about user script) as requested by Bug 23357? > Agree / Disagree > Disagree. > > Please reply to this list so your views can be "on the record". This > poll closes at the start of our next regularly scheduled teleconference > on October 8th at 2pm United States Pacific Time. > > Thank you, > > Brad Hill > co-chair, WebAppSec WG
Received on Tuesday, 8 October 2013 21:00:41 UTC