Re: CSP formal objection. from Mike West on 2014-01-29 (public-webappsec@w3.org from January 2014)

From: Mike West <mkwst@chromium.org>
Date: Wed, 29 Jan 2014 08:15:49 -0800
To: Brian Smith <brian@briansmith.org>
Cc: Anne van Kesteren <annevk@annevk.nl>, Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=caLSXMUN6Q1cSRN55YfwOmF85q9pFQsBzQYyRpnx91EQ@mail.gmail.com>

I've landed
https://github.com/w3c/webappsec/commit/cbfaa8edfadebf21a9c7428242c12e45934d8c55into
the working draft. I believe that addresses the objection. Glenn, do
you agree?

-mike

-Mike


On Tue, Jan 28, 2014 at 3:19 PM, Brian Smith <brian@briansmith.org> wrote:

> On Tue, Jan 28, 2014 at 12:57 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> >> On Mon, Jan 27, 2014 at 10:19 AM, Glenn Adams <glenn@skynav.com> wrote:
> >>> Option #1
> >>>
> >>> Our preference would be to simply remove the following text from 3.2.3:
> >>>
> >>> "Enforcing a policy should not interfere with the operation of
> >>> user-supplied scripts such as third-party user-agent add-ons and
> JavaScript
> >>> bookmarklets."
> >
> > This makes the most sense to me. Web standards have no business
> > talking about UI-level features.
>
> I also agree. The intent is to protect addon developers and addon
> users from having websites disabling their addon functionality. But,
> even within Mozilla there isn't complete agreement on how to interpret
> that text, and I doubt that there's going to be broad agreement across
> implementations.
>
> Cheers,
> Brian
> --
> Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
>
>

Received on Wednesday, 29 January 2014 16:42:49 UTC