W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP formal objection.

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 27 Jan 2014 10:41:13 -0800
Message-ID: <CAPfop_3xL=UgFJqE6H98AKVASnw8XEqrS75YrTmYGxkpqeveEA@mail.gmail.com>
To: Glenn Adams <glenn@skynav.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Glen

I agree that the UA should have the *option* of enforcing CSP over
user-supplied scripts and addons. UAs can decide what they want to do
to better serve their users according to their own priorities.

But, I thought the current phrasing of "SHOULD NOT" is saying exactly
that. Based on RFC 2119[1], can you say more explicitly what changing
the current phrasing with "SHOULD NOT" to Option #2 with "MAY" will
mean for browsers?

Thanks
Dev

[1] http://www.ietf.org/rfc/rfc2119.txt

On 27 January 2014 10:28, Glenn Adams <glenn@skynav.com> wrote:
> Forwarding to WG ML for wider input.
>
> ---------- Forwarded message ----------
> From: Mike West <mkwst@google.com>
> Date: Mon, Jan 27, 2014 at 11:25 AM
> Subject: Re: CSP formal objection.
> To: Glenn Adams <glenn@skynav.com>
>
>
> Great, thanks for putting this together. Would you mind making this proposal
> publicly to the list so we can try to come to consensus ahead of Wednesday's
> call?
>
> -mike
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
>
> On Mon, Jan 27, 2014 at 10:19 AM, Glenn Adams <glenn@skynav.com> wrote:
>>
>>
>>
>>
>> On Mon, Jan 27, 2014 at 10:10 AM, Mike West <mkwst@google.com> wrote:
>>>
>>> Hey Glenn,
>>>
>>> Where do you feel we are with
>>> https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357 ?  I'd like to get CSP
>>> 1.1 to last call relatively soon, so I'd like to understand what you think
>>> needs to happen in order for you to consider your objection dealt with in a
>>> way you're happy with.
>>
>>
>> Option #1
>>
>> Our preference would be to simply remove the following text from 3.2.3:
>>
>> "Enforcing a policy should not interfere with the operation of
>> user-supplied scripts such as third-party user-agent add-ons and JavaScript
>> bookmarklets."
>>
>> Option #2
>>
>> However, absent removing this text, we could accept changing this to a
>> note with a slight rewrite:
>>
>> "Note: A user agent may enforce a policy with respect to the operation of
>> user-supplied scripts such as third-party user-agent add-ons and JavaScript
>> bookmarklets."
>>
>> Option #3
>>
>> Our actual preference would be to restate the original text as:
>>
>> "A user agent must enforce a policy with respect to the operation of
>> user-supplied scripts such as third-party user-agent add-ons and JavaScript
>> bookmarklets."
>>
>> But we think the group won't accept this, thus we can accept (at this
>> juncture) either option #1 or #2 or some equivalent.
>>
>> Regards,
>> Glenn (for CoxCom)
>>
>>>
>>>
>>> Thanks!
>>>
>>> -mike
>>>
>>> --
>>> Mike West <mkwst@google.com>
>>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>>>
>>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
>>> Registergericht und -nummer: Hamburg, HRB 86891
>>> Sitz der Gesellschaft: Hamburg
>>> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>>> (Sorry; I'm legally required to add this exciting detail to emails.
>>> Bleh.)
>>
>>
>
>
Received on Monday, 27 January 2014 18:42:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC