W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP formal objection.

From: Neil Matatall <neilm@twitter.com>
Date: Wed, 29 Jan 2014 12:05:23 -0800
Message-ID: <CAOFLtbhQZfGm_ZxcY2AO38+Q9v+TZLY55L_prBtG-dZqrZSdgg@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: "Hill, Brad" <bhill@paypal.com>, Mike West <mkwst@chromium.org>, Brian Smith <brian@briansmith.org>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
In some recent conversations this was generally accepted because as
Dev said, "the UA should have the *option* of enforcing CSP over
user-supplied scripts and addons"

This change adequately reflects that position to me. The other points
were just to emphasize that we should do this.

On Wed, Jan 29, 2014 at 11:52 AM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> * Hill, Brad wrote:
>>There is also the unfortunate reality that the original text cannot
>>advance beyond Candidate Rec anyway, because no user agent has
>>successfully implemented it. So it is living on borrowed time wrt the
>>W3C process anyway.
>
> You are welcome to demonstrate that no user agent has implemented it, I
> have seen no evidence of that; and you are welcome to argue that lack of
> implementations should be sufficient reason to remove the text, but that
> has nothing to do with the W3C Process. It is entirely normal for W3C
> Technical Reports to be advanced beyond Candidate Recommendation status
> even if some "SHOULD NOT" requirement has not been widely implemented.
> --
> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
> Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
> 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
>
Received on Wednesday, 29 January 2014 20:05:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC