W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP formal objection.

From: Mike West <mkwst@chromium.org>
Date: Wed, 29 Jan 2014 08:15:49 -0800
Message-ID: <CAKXHy=caLSXMUN6Q1cSRN55YfwOmF85q9pFQsBzQYyRpnx91EQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Anne van Kesteren <annevk@annevk.nl>, Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I've landed
https://github.com/w3c/webappsec/commit/cbfaa8edfadebf21a9c7428242c12e45934d8c55into
the working draft. I believe that addresses the objection. Glenn, do
you agree?

-mike

-Mike


On Tue, Jan 28, 2014 at 3:19 PM, Brian Smith <brian@briansmith.org> wrote:

> On Tue, Jan 28, 2014 at 12:57 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> >> On Mon, Jan 27, 2014 at 10:19 AM, Glenn Adams <glenn@skynav.com> wrote:
> >>> Option #1
> >>>
> >>> Our preference would be to simply remove the following text from 3.2.3:
> >>>
> >>> "Enforcing a policy should not interfere with the operation of
> >>> user-supplied scripts such as third-party user-agent add-ons and
> JavaScript
> >>> bookmarklets."
> >
> > This makes the most sense to me. Web standards have no business
> > talking about UI-level features.
>
> I also agree. The intent is to protect addon developers and addon
> users from having websites disabling their addon functionality. But,
> even within Mozilla there isn't complete agreement on how to interpret
> that text, and I doubt that there's going to be broad agreement across
> implementations.
>
> Cheers,
> Brian
> --
> Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
>
>
Received on Wednesday, 29 January 2014 16:42:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC