W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

[webappsec] Proposal: Closing the feature set of CSP 1.1

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 9 Sep 2013 17:14:02 -0700
Message-ID: <CAEeYn8gj1AYDuy-EyhdmoqCBqgatX1=v76YnAxNXYTrL-WXNmA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I'd like to begin considering on tomorrow's call and attempt to reach
consensus in the next two weeks on closing the feature set of CSP 1.1 so we
can work to advance the standard and the WG's other deliverables.  This
doesn't imply things that don't make the cut are never going to happen,
just that they won't be part of the normative baseline of CSP 1.1.   Of
course, CSP has an extensible syntax and proposals can be developed in
their own specifications past this date, as we are already doing with
UISecurity.

The currently outstanding features that are "in", and their owners,
according to my accounting are:
------------

referrer-control (Mike West)
DOM API (Mike West)
worker policy control (Dan Veditz)
inline whitelisting with hash or nonce (Neil Matatall and Adam Barth)



The current outstanding proposals that are not formally accepted by the WG
and editors are:
--------------
Application of unsafe-eval to inline use of CSSOM, as proposed by Ian Melvin
http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/0097.html

suborigins, as proposed by Joel Weinberger
http://lists.w3.org/Archives/Public/public-webappsec/2013Aug/0018.html

SOS as proposed by Mike Shema
http://lists.w3.org/Archives/Public/public-webappsec/2013Aug/0037.html


NetworkController integration?


Can anyone point to something I might be missing?

Thanks,

Brad Hill
Received on Tuesday, 10 September 2013 00:14:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC