W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: CSP formal objection.

From: Mike West <mkwst@google.com>
Date: Fri, 7 Feb 2014 15:20:13 +0100
Message-ID: <CAKXHy=eFjvjXX6KmuKbJXGGNk6qCD1fB11suKrsT79=ci=uHqg@mail.gmail.com>
To: Fred Andrews <fredandw@live.com>
Cc: Web Application Security Working Group <public-webappsec@w3.org>
Hi Fred!

On Fri, Feb 7, 2014 at 8:31 AM, Fred Andrews <fredandw@live.com> wrote:

> It seems that the technical issues have not been solved, and the UA vendors have not followed though with the commitments made, and this changes the landscape so I reopen the dispute.
>
> Really? My impression is that Chrome does a generally reasonable job with
extensions (though a less reasonable job with bookmarklets). There are edge
cases that we don't have good solutions for, but I'd hardly call the state
of affairs dire. If that's incorrect, please do submit bug reports. I'll do
my best to fix them.

> I would like the CSP to be amended to note that the sending of CSP reports is optional in a conforming implementation and that the UA should expect a website to supply a useful CSP that does not depend on the website implementing an overly broad CSP and analyzing the reports.
>
> I don't really understand this sentence. Can you explain what you mean
with regard to the UA's expectations with regard to the website?

In any event, I assume the request relates to the discussion we had at the
end of 2012[1, 2] regarding fingerprinting. My impression was that we'd
resolved that in the WG (though I recall that you didn't agree with the
consensus reached).

[1]: http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0029.html
[2]: https://www.w3.org/2011/webappsec/track/issues/11

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 7 February 2014 14:21:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC