- From: Mike West <mkwst@google.com>
- Date: Wed, 29 Jan 2014 13:58:51 -0800
- To: Neil Matatall <neilm@twitter.com>
- Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, "Hill, Brad" <bhill@paypal.com>, Brian Smith <brian@briansmith.org>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=dYF=HUBKrfzBY6V70eeaa8V-WdO+tOxpuUgu6AR18J0A@mail.gmail.com>
With my editor hat on: there's no reasonable way to validate this sentence for cross-browser compatibility. It is vague enough to allow multiple interpretations (what does "interfere" mean, really?), and different vendors allow add-ons different capabilities which the spec is necessarily silent on. For instance, nothing in the spec notes that Chrome's content settings should be able to block resources otherwise allowed by CSP. With my browser vendor hat on: I don't plan to change Chrome's behavior to make extensions more subject to a page's CSP, regardless of this sentences' presence in the spec. That runs counter to extensions' purpose, and the priority of constituencies. -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Wed, Jan 29, 2014 at 12:05 PM, Neil Matatall <neilm@twitter.com> wrote: > In some recent conversations this was generally accepted because as > Dev said, "the UA should have the *option* of enforcing CSP over > user-supplied scripts and addons" > > This change adequately reflects that position to me. The other points > were just to emphasize that we should do this. > > On Wed, Jan 29, 2014 at 11:52 AM, Bjoern Hoehrmann <derhoermi@gmx.net> > wrote: > > * Hill, Brad wrote: > >>There is also the unfortunate reality that the original text cannot > >>advance beyond Candidate Rec anyway, because no user agent has > >>successfully implemented it. So it is living on borrowed time wrt the > >>W3C process anyway. > > > > You are welcome to demonstrate that no user agent has implemented it, I > > have seen no evidence of that; and you are welcome to argue that lack of > > implementations should be sufficient reason to remove the text, but that > > has nothing to do with the W3C Process. It is entirely normal for W3C > > Technical Reports to be advanced beyond Candidate Recommendation status > > even if some "SHOULD NOT" requirement has not been widely implemented. > > -- > > Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de > > Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de > > 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ > > >
Received on Wednesday, 29 January 2014 21:59:41 UTC