- From: Glenn Adams <glenn@skynav.com>
- Date: Wed, 11 Jun 2014 08:37:37 -0600
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Sigbjørn Vik <sigbjorn@opera.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
- Message-ID: <CACQ=j+eRTX65kgDGrTgXN6GLkvKeKqOsif3T4ZO5-5+MCJD6Dw@mail.gmail.com>
+1 for LCWD On Wed, Jun 11, 2014 at 2:14 AM, Mike West <mkwst@google.com> wrote: > Hello, lovely Webappsecians, > > Over the last week or two, I've landed some changes to the spec which (I > hope) resolve the outstanding issues folks have raised since I last asked > about moving to last call (in January[1]). The remaining open issues on > both GitHub and the webappsec tracker are targeting CSP 1.2, which I'd like > to get started on once CSP 1.1 is safely on it's way out the door. > > I think CSP 1.1 is ready to move on; I'd like to see if the group agrees, > hence this Call for Consensus to move to Last Call. Best case, you all > agree. Hooray! Worst case, this is a forcing function for all of you to > note the things you consider blockers, which is also a good outcome. :) > > Please read through the current draft, up for review at > https://w3c.github.io/webappsec/specs/content-security-policy/, and send > comments to public-webappsec@w3.org. Positive feedback is encouraged. > > This CfC will end at our next scheduled call (June 18th, 2014). > > --- > > The only major issue raised between January and now was covered in the > long thread concerning redirects and paths (and, tangentially, all of CSP's > reporting) that started at [2]. The resolution proposed in the draft is the > following: > > * After a redirect, the path component of source expressions is ignored, > as noted in > https://w3c.github.io/webappsec/specs/content-security-policy/#source-list-paths-and-redirects > > * Redirects are blocked by default: authors must opt-in to enabling > redirects (which must still match directives' source list) via the new > 'unsafe-redirect' source expression: > https://github.com/w3c/webappsec/commit/d1fd42a6df58ef2a7afedcd12ae2bff76a096d1a > > * Reporting does not include the origin of a redirect's target, but only > the origin of the originally requested URL. > > I believe this is a reasonable set of compromises for CSP 1.1, does the > working group agree? Are there additional issues that need to be resolved > before LC which shouldn't be punted to CSP 1.2? Now's the time to speak up! > > [1]: > http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0121.html > [2]: > http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0036.html > > -- > Mike West <mkwst@google.com> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) >
Received on Wednesday, 11 June 2014 14:38:25 UTC