Re: [webappsec] POLL: Getting CSP 1.1 to LCWD

On 10/01/2013 01:23 AM, Brad Hill wrote:

> 1: We should close the feature set of CSP 1.1?  Agree / Disagree

Agree.

> 2. We should include the application of 'unsafe-eval' semantics to the
> CSSOM in the core CSP 1.1 feature set? Agree / Disagree
>

Disagree.

> 3. We should include the suborigin sandboxing proposal in the core CSP
> 1.1 feature set? Agree / Disagree
>

Disagree (not strongly)

> 4. We should include the "Session Origin Security" policy in the core
> CSP 1.1 feature set?  Agree / Disagree
>

Disagree (not strongly)

> 5. We should include the "cookie-scope" policy in the core CSP 1.1
> feature set?  Agree / Disagree
>

Disagree (not strongly)

I think 3, 4, 5 are all different attempts to address the same or
similar problems. We should attempt to synthesize them, or pick a winner.

> Finally, we have a Formal Objection that has been registered by the Cox
> Communication representative Glenn Adams to reverse the currently
> specified behavior of allowing user-defined scripts (including from
> extensions).  Glenn has declined to raise his suggestions on this list
> after several invitations to do so, but he gave a high-level set of
> proposals attached to this bug:
>
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357
>
> 6. We should make changes to core CSP 1.1 behavior (including possibly
> specifying a new directive about user script) as requested by Bug 23357?
>  Agree / Disagree
>

Disagree.

>
> Please reply to this list so your views can be "on the record".  This
> poll closes at the start of our next regularly scheduled teleconference
> on October 8th at 2pm  United States Pacific Time.
>
> Thank you,
>
> Brad Hill
> co-chair, WebAppSec WG

Received on Tuesday, 8 October 2013 21:00:41 UTC