On Sun, Feb 23, 2014 at 6:58 PM, Mitar <mmitar@gmail.com> wrote:
> Hi!
>
> On Sat, Feb 22, 2014 at 1:09 PM, Glenn Adams <glenn@skynav.com> wrote:
> > That is how UAs work today already, so there is no requirement to state
> that
> > the UA is ultimately in control (of what policies are applied or not
> > applied). Removing the "recommendation" doesn't alter this situation.
>
> But it is useful to specify that again and again, to not forget, to
> not leave space for doubt. If UAs already work like that, great, just
> standardize that and it will be easy for UAs to comply with the
> standard.
>
Because a consensus doesn't exist on what a UA must do. Because in such a
case, it is traditional and typical to explicit leave it unspecified. I can
assure you that not all UAs will adopt the position of ignoring CSP in the
case of extensions/add-ons. In fact, I'm aware of a downstream
specification that mandates that UAs (that comply with that specification)
must enforce CSP policies, modulo explicit override by end user, in the
case of extensions/add-ons.
Given there will be different choices made in building and deploying
different UAs, it would be presumptuous to choose only one approach.
>
>
> Mitar
>
> --
> http://mitar.tnode.com/
> https://twitter.com/mitar_m
>