W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP formal objection.

From: Brian Smith <brian@briansmith.org>
Date: Tue, 28 Jan 2014 15:19:05 -0800
Message-ID: <CAFewVt44-1Su+WeSbx54gNR1N65NQ+nteBX844UYhwaUPiefzQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Jan 28, 2014 at 12:57 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> On Mon, Jan 27, 2014 at 10:19 AM, Glenn Adams <glenn@skynav.com> wrote:
>>> Option #1
>>>
>>> Our preference would be to simply remove the following text from 3.2.3:
>>>
>>> "Enforcing a policy should not interfere with the operation of
>>> user-supplied scripts such as third-party user-agent add-ons and JavaScript
>>> bookmarklets."
>
> This makes the most sense to me. Web standards have no business
> talking about UI-level features.

I also agree. The intent is to protect addon developers and addon
users from having websites disabling their addon functionality. But,
even within Mozilla there isn't complete agreement on how to interpret
that text, and I doubt that there's going to be broad agreement across
implementations.

Cheers,
Brian
-- 
Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
Received on Tuesday, 28 January 2014 23:19:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC