W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CfC to publish a LCWD of CSP 1.1

From: Mike West <mkwst@google.com>
Date: Wed, 11 Jun 2014 12:43:18 +0200
Message-ID: <CAKXHy=fpNC+5MnmM_qH4RtKxkz5gyr6Kk6nU8Dw7T3SyW2TUPQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Sigbjørn Vik <sigbjorn@opera.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
On Wed, Jun 11, 2014 at 11:31 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> On Wed, Jun 11, 2014 at 10:14 AM, Mike West <mkwst@google.com> wrote:
> > * Redirects are blocked by default: authors must opt-in to enabling
> > redirects (which must still match directives' source list) via the new
> > 'unsafe-redirect' source expression:
> >
> https://github.com/w3c/webappsec/commit/d1fd42a6df58ef2a7afedcd12ae2bff76a096d1a
>
> How does this prevent the direct from happening? It seems to only talk
> about the final URL?
>

The intent is that this algorithm is executed upon each item in the
redirect chain as it pops up. This will be significantly more clear when we
rewrite the spec in terms of Fetch.

Also, why are we still using the term URI in the specification? I feel
> a bit like a broken record at this point, but CSP is the only
> specifications that does this within web platform land.
>

I don't care what we call them, honestly: I vaguely recall someone (Adam?)
making the claim that this was an IETF thing. I'm happy to change the
terminology if that's the right thing to do.

We'd need to alias the report properties, but other than that it should be
a pretty straightforward change.


> It also still talks about 400 response. I raised the point about it
> having to be a network error ages ago. What's the hold up?
>

No good reason beyond my forgetfulness:
https://github.com/w3c/webappsec/commit/14d7fe718764b00d4893d653807974d211f88edd


> Fetch integration will be done in CSP 1.2? I was sort of hoping
> sooner, but I guess that is okay.
>

Two reasons:

1. Time.
2. Clarity around normative references to WHATWG in W3C docs.

I'm planning on forcing the conversation around #2 in the various other
specs we're advancing in the WG (Mixed Content, for instance), but I'd
prefer to just get CSP 1.1 out the door at this point.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 11 June 2014 10:44:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC