W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CfC to publish a LCWD of CSP 1.1

From: Mike West <mkwst@google.com>
Date: Wed, 11 Jun 2014 12:48:55 +0200
Message-ID: <CAKXHy=c+zeuQTbGwbc_i+avU+RVcP+xXqcj=itJBvQRnfrBApQ@mail.gmail.com>
To: Sigbjørn Vik <sigbjorn@opera.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
On Wed, Jun 11, 2014 at 12:41 PM, Sigbjørn Vik <sigbjorn@opera.com> wrote:

> Looks good, then I have no further objections. Thanks for the
>  constructive work, and putting up with my paranoia :)
>

Thanks for being constructively paranoid.


> Optionally, include the cross domain check.
>

I think the cross-domain check is already in: see "along with requests for
resources whose origin does not match the protected resource’s origin" in
https://w3c.github.io/webappsec/specs/content-security-policy/#ch-csp-client-hint
.

Did I miss it somewhere else?


>  I think the following code has one too many nots in it:
> "source list <em>does not</em> contain the  <code>'unsafe-redirect'</code>"


Ah. Yes. I got a bit carried away there. :)

https://github.com/w3c/webappsec/commit/aa120cf40e95c0da63ca7d30bdbabd12fb826d02

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 11 June 2014 10:49:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC