- From: Brian Smith <brian@briansmith.org>
- Date: Mon, 3 Feb 2014 13:02:39 -0800
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Garrett Robinson <grobinson@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Feb 3, 2014 at 12:38 PM, Brad Hill <hillbrad@gmail.com> wrote: > "When considering interactions between a resource's policy and > user-initiated changes to that resource, for example through extension > mechanisms or bookmarklets, user agent implementors SHOULD take in to > account the HTML5 Priority of Constituencies (link) when determining whether > to enforce or report on a policy violation that would be generated by such > changes." A UA should take priority of constituencies into account for every feature, so why call it out specifically here? A bookmarklet or extension could have "user" priority (e.g. if the user created it himself/herself) or it could have less of a priority (e.g. if it was sideloaded spyware). Besides that, SHOULD-level requirements are better left for requirements/recommendations on implementations, not on implementors. If the spec should say anything about this, it is just that websites cannot rely on CSP to prevent the UA (including extensions) from injecting content into the page or modifying the page. IMO, that should be pretty obvious, because the UA implements CSP so it doesn't make sense to expect the UA's CSP implementation to protect the website from the UA. Cheers, Brian
Received on Monday, 3 February 2014 21:03:06 UTC