Re: CSP formal objection. from Glenn Adams on 2014-01-29 (public-webappsec@w3.org from January 2014)

From: Glenn Adams <glenn@skynav.com>
Date: Wed, 29 Jan 2014 09:47:16 -0700
To: Mike West <mkwst@chromium.org>
Cc: Brian Smith <brian@briansmith.org>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CACQ=j+cGDOJubsB9torYEyb1Ly7+FyLDhM_TWik7vNnYipgvSA@mail.gmail.com>

Yes, that addresses our concern at first order. I will close the bug.

Thanks, Glenn


On Wed, Jan 29, 2014 at 9:15 AM, Mike West <mkwst@chromium.org> wrote:

> I've landed
> https://github.com/w3c/webappsec/commit/cbfaa8edfadebf21a9c7428242c12e45934d8c55into the working draft. I believe that addresses the objection. Glenn, do
> you agree?
>
> -mike
>
> -Mike
>
>
> On Tue, Jan 28, 2014 at 3:19 PM, Brian Smith <brian@briansmith.org> wrote:
>
>> On Tue, Jan 28, 2014 at 12:57 PM, Anne van Kesteren <annevk@annevk.nl>
>> wrote:
>> >> On Mon, Jan 27, 2014 at 10:19 AM, Glenn Adams <glenn@skynav.com>
>> wrote:
>> >>> Option #1
>> >>>
>> >>> Our preference would be to simply remove the following text from
>> 3.2.3:
>> >>>
>> >>> "Enforcing a policy should not interfere with the operation of
>> >>> user-supplied scripts such as third-party user-agent add-ons and
>> JavaScript
>> >>> bookmarklets."
>> >
>> > This makes the most sense to me. Web standards have no business
>> > talking about UI-level features.
>>
>> I also agree. The intent is to protect addon developers and addon
>> users from having websites disabling their addon functionality. But,
>> even within Mozilla there isn't complete agreement on how to interpret
>> that text, and I doubt that there's going to be broad agreement across
>> implementations.
>>
>> Cheers,
>> Brian
>> --
>> Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
>>
>>
>

Received on Wednesday, 29 January 2014 16:48:05 UTC