- From: Brad Hill <hillbrad@gmail.com>
- Date: Mon, 30 Sep 2013 16:23:21 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEeYn8g_E07OH=6=bVSetMkvs8Evkt-K6h8ZFYm6WDJ=Tg6AwA@mail.gmail.com>
As discussed on our last conference call and in a previous email, we are behind schedule on our deliverables and I would like to propose that we close the feature set for CSP 1.1. This is a formal poll to establish consensus. Workgroup members, please take a few minutes to respond to these 6 questions to the list. 1: We should close the feature set of CSP 1.1? Agree / Disagree 2. We should include the application of 'unsafe-eval' semantics to the CSSOM in the core CSP 1.1 feature set? Agree / Disagree 3. We should include the suborigin sandboxing proposal in the core CSP 1.1 feature set? Agree / Disagree 4. We should include the "Session Origin Security" policy in the core CSP 1.1 feature set? Agree / Disagree 5. We should include the "cookie-scope" policy in the core CSP 1.1 feature set? Agree / Disagree Finally, we have a Formal Objection that has been registered by the Cox Communication representative Glenn Adams to reverse the currently specified behavior of allowing user-defined scripts (including from extensions). Glenn has declined to raise his suggestions on this list after several invitations to do so, but he gave a high-level set of proposals attached to this bug: https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357 6. We should make changes to core CSP 1.1 behavior (including possibly specifying a new directive about user script) as requested by Bug 23357? Agree / Disagree Please reply to this list so your views can be "on the record". This poll closes at the start of our next regularly scheduled teleconference on October 8th at 2pm United States Pacific Time. Thank you, Brad Hill co-chair, WebAppSec WG
Received on Monday, 30 September 2013 23:23:50 UTC