W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP formal objection.

From: Hill, Brad <bhill@paypal.com>
Date: Wed, 29 Jan 2014 19:04:41 +0000
To: Glenn Adams <glenn@skynav.com>
CC: Mike West <mkwst@chromium.org>, Brian Smith <brian@briansmith.org>, "Anne van Kesteren" <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <FFACA47F-15F4-4A4C-ADE3-0B5FE11C2A20@paypal.com>
Thank you, everyone, for working together to a mutually agreeable conclusion.

On Jan 29, 2014, at 8:48 AM, "Glenn Adams" <glenn@skynav.com<mailto:glenn@skynav.com>> wrote:

Yes, that addresses our concern at first order. I will close the bug.

Thanks, Glenn


On Wed, Jan 29, 2014 at 9:15 AM, Mike West <mkwst@chromium.org<mailto:mkwst@chromium.org>> wrote:
I've landed https://github.com/w3c/webappsec/commit/cbfaa8edfadebf21a9c7428242c12e45934d8c55 into the working draft. I believe that addresses the objection. Glenn, do you agree?

-mike

-Mike


On Tue, Jan 28, 2014 at 3:19 PM, Brian Smith <brian@briansmith.org<mailto:brian@briansmith.org>> wrote:
On Tue, Jan 28, 2014 at 12:57 PM, Anne van Kesteren <annevk@annevk.nl<mailto:annevk@annevk.nl>> wrote:
>> On Mon, Jan 27, 2014 at 10:19 AM, Glenn Adams <glenn@skynav.com<mailto:glenn@skynav.com>> wrote:
>>> Option #1
>>>
>>> Our preference would be to simply remove the following text from 3.2.3:
>>>
>>> "Enforcing a policy should not interfere with the operation of
>>> user-supplied scripts such as third-party user-agent add-ons and JavaScript
>>> bookmarklets."
>
> This makes the most sense to me. Web standards have no business
> talking about UI-level features.

I also agree. The intent is to protect addon developers and addon
users from having websites disabling their addon functionality. But,
even within Mozilla there isn't complete agreement on how to interpret
that text, and I doubt that there's going to be broad agreement across
implementations.

Cheers,
Brian
--
Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
Received on Wednesday, 29 January 2014 19:05:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC