CSP 1.1: What remains open (and important)?

Hello, lovely webappseccers.

Based on my conversations with developers both inside and outside Google,
nonces and hashes are critically important to make CSP something they can
reasonably implement in their applications. I'd like to get CSP 1.1 to CR
at some point in the reasonably near future so we can start getting those
features out in front of developers.

As a first practical step, I'd like to publish an updated working draft
based on the current state of the document[1].

As a second step, I'd like to know if there are any outstanding issues that
folks in the WG think should block moving to last call. I believe all the
items in Brad's poll[2] late last year have been addressed. The changes I
made over the holidays seem to be reasonably acceptable (though there are
some concerns around back compat.)[3]. There are a few open actions on the
tracker[4], but it's not clear to me that any are blockers.

So, does moving to CR soonish seem reasonable? If not, what do you care
about that hasn't been addressed?

Thanks!

-mike

[1]:
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
[2]: http://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0086.html
[3]: http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0076.html
[4]: https://www.w3.org/2011/webappsec/track/actions/open

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)