W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Removal of the note about extensions

From: Glenn Adams <glenn@skynav.com>
Date: Sun, 23 Feb 2014 22:47:08 -0700
Message-ID: <CACQ=j+dn8JrczA=5h0jGziMnMNDsFHDynHb7eOEd_GntFz_1-Q@mail.gmail.com>
To: Mitar <mmitar@gmail.com>
Cc: Mike Pomax Kamermans <pomax@nihongoresources.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Feb 23, 2014 at 6:58 PM, Mitar <mmitar@gmail.com> wrote:

> Hi!
> On Sat, Feb 22, 2014 at 1:09 PM, Glenn Adams <glenn@skynav.com> wrote:
> > That is how UAs work today already, so there is no requirement to state
> that
> > the UA is ultimately in control (of what policies are applied or not
> > applied). Removing the "recommendation" doesn't alter this situation.
> But it is useful to specify that again and again, to not forget, to
> not leave space for doubt. If UAs already work like that, great, just
> standardize that and it will be easy for UAs to comply with the
> standard.

Because a consensus doesn't exist on what a UA must do. Because in such a
case, it is traditional and typical to explicit leave it unspecified. I can
assure you that not all UAs will adopt the position of ignoring CSP in the
case of extensions/add-ons. In fact, I'm aware of a downstream
specification that mandates that UAs (that comply with that specification)
must enforce CSP policies, modulo explicit override by end user, in the
case of extensions/add-ons.

Given there will be different choices made in building and deploying
different UAs, it would be presumptuous to choose only one approach.

> Mitar
> --
> http://mitar.tnode.com/
> https://twitter.com/mitar_m
Received on Monday, 24 February 2014 05:48:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC