Re: CSP formal objection. from Mike West on 2014-02-24 (public-webappsec@w3.org from February 2014)

From: Mike West <mkwst@google.com>
Date: Mon, 24 Feb 2014 14:38:05 +0100
To: Nicholas Doty <npdoty@w3.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Fred Andrews <fredandw@live.com>
Message-ID: <CAKXHy=dac0i_J1xcOBJTVdBY3if83Ej2ZqEcHNtA4iFtnkebKw@mail.gmail.com>

>
> That suggests not only that a conforming implementation doesn't have
> flexibility on defaults but that no option is provided to the end user.
> (That is at least how I understand Fred's concern.) It may be that the note
> Mike added in the editors' draft [0] addresses that concern, and if so,
> great! (Another alternative would be to change instances of "MUST report a
> violation" to "MAY report a violation".)
>

I'm hopeful that the note you've referenced addresses this concern. UAs
should be free to do anything to protect user privacy. If, however, they
decide to implement the reporting functionality, it ought to be done as
specified. In other words, reporting isn't meant to be a generally optional
part of the spec, but should indeed be implemented in some interoperable
form by conforming UAs.

Similarly, the requirements around HTML's <img> tag are generally "MUST",
though it's common for user agents to offer the ability to disable images
globally, or for specific sites. I read that as "If images are loaded,
here's how you do it."

-mike

Received on Monday, 24 February 2014 13:38:54 UTC