W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

[Bug 26061] New: Improve consistency with CSP 1.1 w.r.t. add-on/extension semantics.

From: <bugzilla@jessica.w3.org>
Date: Wed, 11 Jun 2014 14:46:25 +0000
To: public-webappsec@w3.org
Message-ID: <bug-26061-4874@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26061

            Bug ID: 26061
           Summary: Improve consistency with CSP 1.1 w.r.t.
                    add-on/extension semantics.
           Product: WebAppsSec
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: CSP
          Assignee: w3c@adambarth.com
          Reporter: glenn@skynav.com
        QA Contact: dave.null@w3.org
                CC: mike@w3.org, public-webappsec@w3.org

CSP 1.1 specifies in Section 5:

"Note: User agents may allow users to modify or bypass policy enforcement
through user preferences, bookmarklets, third-party additions to the user
agent, and other such mechanisms."

In contrast, CSP 1.0 specifies in Section 3.3:

"Enforcing a CSP policy should not interfere with the operation of
user-supplied scripts such as third-party user-agent add-ons and JavaScript
bookmarklets."

and in Section 4.2:

"(The user agent should execute script contained in "bookmarklets" even when
enforcing this restriction.)"

In order to reduce confusion by authors and developers, the language in CSP 1.0
should be changed to match that in CSP 1.1: specifically, (1) replace the above
language cited from 3.3 with the note cited above in CSP1.1, and (2) remove the
parenthetical cited from 4.2.

This change does not impact conformance since CSP 1.0 casts the language in
terms of a recommendation (should) and not a mandatory (must) requirement.
Consequently, this change may made without requiring a new LC or CR.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Wednesday, 11 June 2014 14:46:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC