- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Tue, 11 Feb 2014 23:05:30 +0100
- To: Mike West <mkwst@google.com>
- Cc: Fred Andrews <fredandw@live.com>, Web Application Security Working Group <public-webappsec@w3.org>
* Mike West wrote: >In the interests of reducing misunderstanding this time around, would you >be willing to propose specific changes to the spec text? It might be more >productive to discuss a specific pull request to >https://github.com/w3c/webappsec/blob/master/specs/content-security-policy/csp-specification.dev.htmlthan >to go back and forth about the extent of the dispute in more general >terms. I find it rather inappropriate to ask reviewers to edit the HTML for you, it should be entirely sufficient to ask them to sketch out some of the text or to sketch out changes that would remove their concern. It seems to me adding something like the following might address it (this is for illustrative purposes only, not an actual suggestion): Reporting and enforcement can have privacy and other implications and conforming user agents are free to apply policies selectively. For instance, user agents might offer the configuration option to report only on web sites the user visits frequently. It is incorrect for web sites to depend on reporting or enforcement or to use reporting data for purposes other than those described in this document. Fred, how close or far off would that be? It is quite possible that you have something considerably more elaborate in mind. >If you're referring to the discussion we had a few months ago around the >impact of reporting on user privacy, then I'd reassert the claim that CSP >reporting doesn't make anything possible that isn't already possible via >existing DOM APIs (MutationObserver, event listeners, delayed measurement >via setTimeout, etc). We can have that discussion again, if you like. That is never an acceptable response to privacy concerns. >Authors can't depend on a user agent supporting CSP, and the spec >explicitly positions the feature as defense-in-depth. It seems entirely possible to write code that breaks when CSP is not supported or only selectively enforced/reported. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Tuesday, 11 February 2014 22:05:58 UTC