W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP formal objection.

From: Hill, Brad <bhill@paypal.com>
Date: Wed, 29 Jan 2014 19:30:00 +0000
To: Bjoern Hoehrmann <derhoermi@gmx.net>
CC: Mike West <mkwst@chromium.org>, Brian Smith <brian@briansmith.org>, "Anne van Kesteren" <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <961C8D39-EB90-4CE2-9F1E-7B4BE512FF0E@paypal.com>
Bjoern, 

I think the removal of the text simply leaves the matter open to each user agent to implement the interactions between CSP and add-ons according to their own best ability and whatever priority of constituencies they already follow.  It neither implies interference nor non-interference.

Sincerely,

Brad Hill

> On Jan 29, 2014, at 11:24 AM, "Bjoern Hoehrmann" <derhoermi@gmx.net> wrote:
> 
> * Hill, Brad wrote:
>> Thank you, everyone, for working together to a mutually agreeable conclusion.
> 
> There is nothing agreeable about the removal of the text in question.
> CSP is meant to be implemented by user agents, and the requirement in
> question is there to ensure CSP will not be abused to act against the
> interests of the user as part of some kind of digital repression me-
> chanism. Clearly, if browsers let CSP interfere with user-controlled
> scripts, they become an agent of someone other than the user. If the
> text is not restored, someone will have to bring this to the attention
> of the W3C Director and the Advisory Committee.
> -- 
> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
> Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
> 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 29 January 2014 19:30:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC