Re: Comments on CSP Level 2

Thanks, Mark!

On Thu, Aug 14, 2014 at 4:27 AM, Nottingham, Mark <mnotting@akamai.com>
wrote:

> Based upon <http://www.w3.org/TR/2014/WD-CSP2-20140703/>.
>
> * Some indication of this spec's relationship to CSP1 is necessary, if
> only to say "It is backwards-compatible and adds the following
> directives..."  Without that, it's very difficult for readers to judge
> what's changed, and whether they need to change existing deployed policies.
>

Yes. Sorry I haven't taken care of this yet. Filed
https://github.com/w3c/webappsec/issues/45 to make sure I remember.


> * Prefixing header field names with "CH-" is cargo cult protocol design;
> please stop it. See also <
> https://github.com/igrigorik/http-client-hints/issues/24>. It's not a
> "Client Hint", it's a request header field.
>

Hrm. Ok. My though was that it was a hint to the server about the client's
execution environment ("CSP is active on the client for this request."
Filed https://github.com/w3c/webappsec/issues/46 to rename.


> * If you want any other values to be possible, you need to define
> extensibility for CH-CSP. Also, *WSP is not necessary there.
>

CSP2 doesn't define any other values. I can't think of any other values
that we'd add, but that certainly doesn't mean that none exist. What's the
right way to define extensibility?


> * Having a different spelling for "referrer" as compared to the header
> seems to invite problems/misunderstanding...
>

As Anne noted, there's enough precedent for correcting the spelling that
I'd like to do so here as well.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)