Re: Comments on CSP Level 2 from Nottingham, Mark on 2014-08-19 (public-webappsec@w3.org from August 2014)

From: Nottingham, Mark <mnotting@akamai.com>
Date: Tue, 19 Aug 2014 02:18:33 -0500
To: Mike West <mkwst@google.com>
CC: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CB0DAC8D-7FF5-4AC2-8228-787191E0AE4B@akamai.com>

Thanks!

On 18 Aug 2014, at 5:54 pm, Mike West <mkwst@google.com> wrote:

> Thanks, Mark!
> 
> On Thu, Aug 14, 2014 at 4:27 AM, Nottingham, Mark <mnotting@akamai.com> wrote:
> Based upon <http://www.w3.org/TR/2014/WD-CSP2-20140703/>.
> 
> * Some indication of this spec's relationship to CSP1 is necessary, if only to say "It is backwards-compatible and adds the following directives..."  Without that, it's very difficult for readers to judge what's changed, and whether they need to change existing deployed policies.
> 
> Yes. Sorry I haven't taken care of this yet. Filed https://github.com/w3c/webappsec/issues/45 to make sure I remember.
>  
> * Prefixing header field names with "CH-" is cargo cult protocol design; please stop it. See also <https://github.com/igrigorik/http-client-hints/issues/24>. It's not a "Client Hint", it's a request header field.
> 
> Hrm. Ok. My though was that it was a hint to the server about the client's execution environment ("CSP is active on the client for this request." Filed https://github.com/w3c/webappsec/issues/46 to rename.
>  
> * If you want any other values to be possible, you need to define extensibility for CH-CSP. Also, *WSP is not necessary there.
> 
> CSP2 doesn't define any other values. I can't think of any other values that we'd add, but that certainly doesn't mean that none exist. What's the right way to define extensibility?
>  
> * Having a different spelling for "referrer" as compared to the header seems to invite problems/misunderstanding...
> 
> As Anne noted, there's enough precedent for correcting the spelling that I'd like to do so here as well.
> 
> -mike
> 
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> 
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
> 

--
Mark Nottingham    mnot@akamai.com    https://www.mnot.net/

Received on Tuesday, 19 August 2014 07:19:01 UTC