W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: CSP formal objection.

From: Fred Andrews <fredandw@live.com>
Date: Fri, 7 Feb 2014 07:31:42 +0000
Message-ID: <BLU179-W89F74F4508C7763FD07783AA970@phx.gbl>
To: Web Application Security Working Group <public-webappsec@w3.org>
> * Hill, Brad wrote:
>
> There is also the unfortunate reality that the original text cannot advance beyond Candidate Rec anyway, because no user agent has successfully implemented it. So it is living on borrowed time wrt the W3C process anyway.

The text was added in part as a resolution of a dispute over CSP privacy issues.

It seems that the technical issues have not been solved, and the UA vendors have not followed though with the commitments made, and this changes the landscape so I reopen the dispute.

I would like the CSP to be amended to note that the sending of CSP reports is optional in a conforming implementation and that the UA should expect a website to supply a useful CSP that does not depend on the website implementing an overly broad CSP and analyzing the reports.

cheers
Fred

 


 		 	   		  
Received on Friday, 7 February 2014 07:32:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC