W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Removal of the note about extensions

From: Mike West <mkwst@google.com>
Date: Tue, 25 Feb 2014 11:35:14 +0100
Message-ID: <CAKXHy=eQpcuc69h=9ZLH8C0pMw6rQPZwohUMtVUoZYx009ftXA@mail.gmail.com>
To: Mitar <mmitar@gmail.com>
Cc: Glenn Adams <glenn@skynav.com>, Mike Pomax Kamermans <pomax@nihongoresources.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi!

On Tue, Feb 25, 2014 at 7:39 AM, Mitar <mmitar@gmail.com> wrote:
>
>  > With this in mind, I'm inclined to add a non-normative note to the spec
> > along the lines of "Note that user agents are encouraged to allow
> > third-party add-ons and JavaScript bookmarklets to bypass policy
> > enforcement, either implicitly or based on the user's preference."
>
> Why reinventing the wheel? RFC 2119 here what SHOULD NOT in original note
> mean:
>

I noted my justification further down in the email you're quoting:
normative claims and vendor-specific behavior don't mix well. That's why
I'd rephrase the original normative claim as a non-normative note, making
the WG's consensus clear to implementers and authors, while not placing
compatibility obligations on inherently incompatible features.

In this sens this directly addresses Cox objections: if there valid
> reasons (compromised extensions, user preference, liability reasons,
> special UAs (kiosk mode)) UAs are allowed to interfere with the
> operation, but UAs have to understand the consequences.
>

Cox, if I understand Glenn, correctly, objects strenuously to anything that
implies a positive obligation to allow extensions, add-ons, bookmarklets,
etc. to bypass CSP. "may" is fine, "should" is not, as far as that
objection is concerned.

I don't actually agree with Cox's position, as I hope is obvious, but I
think the text I've suggested is a reasonable compromise.

-mike
Received on Tuesday, 25 February 2014 10:36:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC