- From: Brad Hill <hillbrad@gmail.com>
- Date: Mon, 9 Sep 2013 17:14:02 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEeYn8gj1AYDuy-EyhdmoqCBqgatX1=v76YnAxNXYTrL-WXNmA@mail.gmail.com>
I'd like to begin considering on tomorrow's call and attempt to reach consensus in the next two weeks on closing the feature set of CSP 1.1 so we can work to advance the standard and the WG's other deliverables. This doesn't imply things that don't make the cut are never going to happen, just that they won't be part of the normative baseline of CSP 1.1. Of course, CSP has an extensible syntax and proposals can be developed in their own specifications past this date, as we are already doing with UISecurity. The currently outstanding features that are "in", and their owners, according to my accounting are: ------------ referrer-control (Mike West) DOM API (Mike West) worker policy control (Dan Veditz) inline whitelisting with hash or nonce (Neil Matatall and Adam Barth) The current outstanding proposals that are not formally accepted by the WG and editors are: -------------- Application of unsafe-eval to inline use of CSSOM, as proposed by Ian Melvin http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/0097.html suborigins, as proposed by Joel Weinberger http://lists.w3.org/Archives/Public/public-webappsec/2013Aug/0018.html SOS as proposed by Mike Shema http://lists.w3.org/Archives/Public/public-webappsec/2013Aug/0037.html NetworkController integration? Can anyone point to something I might be missing? Thanks, Brad Hill
Received on Tuesday, 10 September 2013 00:14:30 UTC