Hi!
On Tue, Feb 25, 2014 at 7:39 AM, Mitar <mmitar@gmail.com> wrote:
>
> > With this in mind, I'm inclined to add a non-normative note to the spec
> > along the lines of "Note that user agents are encouraged to allow
> > third-party add-ons and JavaScript bookmarklets to bypass policy
> > enforcement, either implicitly or based on the user's preference."
>
> Why reinventing the wheel? RFC 2119 here what SHOULD NOT in original note
> mean:
>
I noted my justification further down in the email you're quoting:
normative claims and vendor-specific behavior don't mix well. That's why
I'd rephrase the original normative claim as a non-normative note, making
the WG's consensus clear to implementers and authors, while not placing
compatibility obligations on inherently incompatible features.
In this sens this directly addresses Cox objections: if there valid
> reasons (compromised extensions, user preference, liability reasons,
> special UAs (kiosk mode)) UAs are allowed to interfere with the
> operation, but UAs have to understand the consequences.
>
Cox, if I understand Glenn, correctly, objects strenuously to anything that
implies a positive obligation to allow extensions, add-ons, bookmarklets,
etc. to bypass CSP. "may" is fine, "should" is not, as far as that
objection is concerned.
I don't actually agree with Cox's position, as I hope is obvious, but I
think the text I've suggested is a reasonable compromise.
-mike