W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP formal objection.

From: Mike West <mkwst@google.com>
Date: Wed, 29 Jan 2014 13:58:51 -0800
Message-ID: <CAKXHy=dYF=HUBKrfzBY6V70eeaa8V-WdO+tOxpuUgu6AR18J0A@mail.gmail.com>
To: Neil Matatall <neilm@twitter.com>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, "Hill, Brad" <bhill@paypal.com>, Brian Smith <brian@briansmith.org>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
With my editor hat on: there's no reasonable way to validate this sentence
for cross-browser compatibility. It is vague enough to allow multiple
interpretations (what does "interfere" mean, really?), and different
vendors allow add-ons different capabilities which the spec is necessarily
silent on. For instance, nothing in the spec notes that Chrome's content
settings should be able to block resources otherwise allowed by CSP.

With my browser vendor hat on: I don't plan to change Chrome's behavior to
make extensions more subject to a page's CSP, regardless of this sentences'
presence in the spec. That runs counter to extensions' purpose, and the
priority of constituencies.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Wed, Jan 29, 2014 at 12:05 PM, Neil Matatall <neilm@twitter.com> wrote:

> In some recent conversations this was generally accepted because as
> Dev said, "the UA should have the *option* of enforcing CSP over
> user-supplied scripts and addons"
>
> This change adequately reflects that position to me. The other points
> were just to emphasize that we should do this.
>
> On Wed, Jan 29, 2014 at 11:52 AM, Bjoern Hoehrmann <derhoermi@gmx.net>
> wrote:
> > * Hill, Brad wrote:
> >>There is also the unfortunate reality that the original text cannot
> >>advance beyond Candidate Rec anyway, because no user agent has
> >>successfully implemented it. So it is living on borrowed time wrt the
> >>W3C process anyway.
> >
> > You are welcome to demonstrate that no user agent has implemented it, I
> > have seen no evidence of that; and you are welcome to argue that lack of
> > implementations should be sufficient reason to remove the text, but that
> > has nothing to do with the W3C Process. It is entirely normal for W3C
> > Technical Reports to be advanced beyond Candidate Recommendation status
> > even if some "SHOULD NOT" requirement has not been widely implemented.
> > --
> > Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
> > Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
> > 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
> >
>
Received on Wednesday, 29 January 2014 21:59:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC