- From: Mitar <mmitar@gmail.com>
- Date: Sun, 23 Feb 2014 22:50:11 -0800
- To: Glenn Adams <glenn@skynav.com>
- Cc: Mike Pomax Kamermans <pomax@nihongoresources.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi! On Sun, Feb 23, 2014 at 9:47 PM, Glenn Adams <glenn@skynav.com> wrote: > Because a consensus doesn't exist on what a UA must do. How is does not exist? So which UA is currently saying that they will block extensions from working if this is demanded by the site through CSP? I heard only examples that Mozilla and Blink are saying that of course they will not block. So, let's put this into writing and we are all good. And such argumentation is really silly. First you are saying that because there is a consensus and of course nobody will block, there is no need to put this into the standard. And then also because there is no consensus, there is nothing to put into the standard. So let's find what UAs are saying. Which one is saying that they will block extensions from working if so demanded by the site through CSP? > I can assure you that not all UAs will adopt the position of ignoring CSP in the case of > extensions/add-ons. In fact, I'm aware of a downstream specification that mandates > that UAs (that comply with that specification) must enforce CSP policies, modulo explicit > override by end user, in the case of extensions/add-ons. No problem. They do not have to. They can ignore the standard and be non compliant. Nobody is forcing them to be standard compliant. Even more, previous language used SHOULD which would made them standard compliant even if they would block extensions but have a good reason for it: "This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course." http://tools.ietf.org/html/rfc2119 What is unclear about that? If UAs have a special reason to ignore it (for example, use of a UA in some special environment, where domain administrator locks down UAs) they can still do it. One such example would be using UAs in kiosks mode. Mitar -- http://mitar.tnode.com/ https://twitter.com/mitar_m
Received on Monday, 24 February 2014 06:50:38 UTC