[webappsec] POLL: Getting CSP 1.1 to LCWD

As discussed on our last conference call and in a previous email, we are
behind schedule on our deliverables and I would like to propose that we
close the feature set for CSP 1.1.

This is a formal poll to establish consensus.  Workgroup members, please
take a few minutes to respond to these 6 questions to the list.

1: We should close the feature set of CSP 1.1?  Agree / Disagree

2. We should include the application of 'unsafe-eval' semantics to the
CSSOM in the core CSP 1.1 feature set? Agree / Disagree

3. We should include the suborigin sandboxing proposal in the core CSP 1.1
feature set? Agree / Disagree

4. We should include the "Session Origin Security" policy in the core CSP
1.1 feature set?  Agree / Disagree

5. We should include the "cookie-scope" policy in the core CSP 1.1 feature
set?  Agree / Disagree

Finally, we have a Formal Objection that has been registered by the Cox
Communication representative Glenn Adams to reverse the currently specified
behavior of allowing user-defined scripts (including from extensions).
 Glenn has declined to raise his suggestions on this list after several
invitations to do so, but he gave a high-level set of proposals attached to
this bug:

https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357

6. We should make changes to core CSP 1.1 behavior (including possibly
specifying a new directive about user script) as requested by Bug 23357?
 Agree / Disagree


Please reply to this list so your views can be "on the record".  This poll
closes at the start of our next regularly scheduled teleconference on
October 8th at 2pm  United States Pacific Time.

Thank you,

Brad Hill
co-chair, WebAppSec WG

Received on Monday, 30 September 2013 23:23:50 UTC