Re: Removal of the note about extensions from Mitar on 2014-02-24 (public-webappsec@w3.org from February 2014)

From: Mitar <mmitar@gmail.com>
Date: Sun, 23 Feb 2014 22:50:11 -0800
To: Glenn Adams <glenn@skynav.com>
Cc: Mike Pomax Kamermans <pomax@nihongoresources.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKLmikPKLbwHAP4XyzdjcDxJysqMvSLTxTraLTzE2dVqwRYAJA@mail.gmail.com>

Hi!

On Sun, Feb 23, 2014 at 9:47 PM, Glenn Adams <glenn@skynav.com> wrote:
> Because a consensus doesn't exist on what a UA must do.

How is does not exist? So which UA is currently saying that they will
block extensions from working if this is demanded by the site through
CSP? I heard only examples that Mozilla and Blink are saying that of
course they will not block. So, let's put this into writing and we are
all good.

And such argumentation is really silly. First you are saying that
because there is a consensus and of course nobody will block, there is
no need to put this into the standard. And then also because there is
no consensus, there is nothing to put into the standard.

So let's find what UAs are saying. Which one is saying that they will
block extensions from working if so demanded by the site through CSP?

> I can assure you that not all UAs will adopt the position of ignoring CSP in the case of
> extensions/add-ons. In fact, I'm aware of a downstream specification that mandates
> that UAs (that comply with that specification) must enforce CSP policies, modulo explicit
> override by end user, in the case of extensions/add-ons.

No problem. They do not have to. They can ignore the standard and be
non compliant. Nobody is forcing them to be standard compliant.

Even more, previous language used SHOULD which would made them
standard compliant even if they would block extensions but have a good
reason for it:

"This word, or the adjective "RECOMMENDED", mean that there may exist
valid reasons in particular circumstances to ignore a particular item,
but the full implications must be understood and carefully weighed
before choosing a different course."

http://tools.ietf.org/html/rfc2119

What is unclear about that? If UAs have a special reason to ignore it
(for example, use of a UA in some special environment, where domain
administrator locks down UAs) they can still do it. One such example
would be using UAs in kiosks mode.

Mitar

-- 
http://mitar.tnode.com/
https://twitter.com/mitar_m

Received on Monday, 24 February 2014 06:50:38 UTC