- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Mon, 27 Jan 2014 10:41:13 -0800
- To: Glenn Adams <glenn@skynav.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Glen I agree that the UA should have the *option* of enforcing CSP over user-supplied scripts and addons. UAs can decide what they want to do to better serve their users according to their own priorities. But, I thought the current phrasing of "SHOULD NOT" is saying exactly that. Based on RFC 2119[1], can you say more explicitly what changing the current phrasing with "SHOULD NOT" to Option #2 with "MAY" will mean for browsers? Thanks Dev [1] http://www.ietf.org/rfc/rfc2119.txt On 27 January 2014 10:28, Glenn Adams <glenn@skynav.com> wrote: > Forwarding to WG ML for wider input. > > ---------- Forwarded message ---------- > From: Mike West <mkwst@google.com> > Date: Mon, Jan 27, 2014 at 11:25 AM > Subject: Re: CSP formal objection. > To: Glenn Adams <glenn@skynav.com> > > > Great, thanks for putting this together. Would you mind making this proposal > publicly to the list so we can try to come to consensus ahead of Wednesday's > call? > > -mike > > -- > Mike West <mkwst@google.com> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) > > > On Mon, Jan 27, 2014 at 10:19 AM, Glenn Adams <glenn@skynav.com> wrote: >> >> >> >> >> On Mon, Jan 27, 2014 at 10:10 AM, Mike West <mkwst@google.com> wrote: >>> >>> Hey Glenn, >>> >>> Where do you feel we are with >>> https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357 ? I'd like to get CSP >>> 1.1 to last call relatively soon, so I'd like to understand what you think >>> needs to happen in order for you to consider your objection dealt with in a >>> way you're happy with. >> >> >> Option #1 >> >> Our preference would be to simply remove the following text from 3.2.3: >> >> "Enforcing a policy should not interfere with the operation of >> user-supplied scripts such as third-party user-agent add-ons and JavaScript >> bookmarklets." >> >> Option #2 >> >> However, absent removing this text, we could accept changing this to a >> note with a slight rewrite: >> >> "Note: A user agent may enforce a policy with respect to the operation of >> user-supplied scripts such as third-party user-agent add-ons and JavaScript >> bookmarklets." >> >> Option #3 >> >> Our actual preference would be to restate the original text as: >> >> "A user agent must enforce a policy with respect to the operation of >> user-supplied scripts such as third-party user-agent add-ons and JavaScript >> bookmarklets." >> >> But we think the group won't accept this, thus we can accept (at this >> juncture) either option #1 or #2 or some equivalent. >> >> Regards, >> Glenn (for CoxCom) >> >>> >>> >>> Thanks! >>> >>> -mike >>> >>> -- >>> Mike West <mkwst@google.com> >>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 >>> >>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany >>> Registergericht und -nummer: Hamburg, HRB 86891 >>> Sitz der Gesellschaft: Hamburg >>> Geschäftsführer: Graham Law, Christine Elizabeth Flores >>> (Sorry; I'm legally required to add this exciting detail to emails. >>> Bleh.) >> >> > >
Received on Monday, 27 January 2014 18:42:01 UTC