W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Reporting should be explicitly optional (was Re: CSP formal objection.)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 12 Feb 2014 16:04:32 +0100
To: Mike West <mkwst@google.com>
Cc: Fred Andrews <fredandw@live.com>, Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <gh0nf9lnmkrutupb41itnovnua4qa5cr87@hive.bjoern.hoehrmann.de>
* Mike West wrote:
>Sure, forking the repo and editing the HTML is above and beyond. My intent
>was simply to avoid the misinterpretation that the previous iteration of
>this thread suffered from, not to farm out the work of editing the spec.

You should give consideration to the fact that some reviewers reading
this list do not know Git, GitHub, HTML editing, are not fluent enough
in english to write specification prose, and might be intimidated or
embarassed should they be asked to "file a pull request". In this case,
it is also worth to note that http://www.w3.org/TR/CSP11/ is covered
under the "W3C Document License" and "No right to create modifications
or derivatives of W3C documents is granted pursuant to this license",
so I would indeed consider this out of the question.

It is fine to ask reviewers to sketch out text and changes that would
address their concerns, and offering them the option, when available, to
do so in the form of a patch or pull request or whatever -- if they like
to do so -- is also okay, just do not make it difficult for reviewers to
ignore such offers (and no, ignoring a request to be "more productive"
and avoid "to go back and forth about" something is not trivially easy
for everybody).

>> >If you're referring to the discussion we had a few months ago around the
>> >impact of reporting on user privacy, then I'd reassert the claim that CSP
>> >reporting doesn't make anything possible that isn't already possible via
>> >existing DOM APIs (MutationObserver, event listeners, delayed measurement
>> >via setTimeout, etc). We can have that discussion again, if you like.
>>
>> That is never an acceptable response to privacy concerns.
>
>I disagree. "X is already available." is a pretty reasonable response to
>"If we do Y, X will be available."

You should consider that the concern might actually come with qualifiers
like "by design" or "more reliably" or "more easily". When a browser has
the option to disable third party cookie data, and a web site finds some
clever way to obtain third party cookie data anyway, then that data may
have been "available", but the web site might still get fined for doing
something they should not. We are not talking about information security
here.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 12 February 2014 15:05:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC