- From: <bugzilla@jessica.w3.org>
- Date: Wed, 11 Jun 2014 14:46:25 +0000
- To: public-webappsec@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26061
Bug ID: 26061
Summary: Improve consistency with CSP 1.1 w.r.t.
add-on/extension semantics.
Product: WebAppsSec
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: CSP
Assignee: w3c@adambarth.com
Reporter: glenn@skynav.com
QA Contact: dave.null@w3.org
CC: mike@w3.org, public-webappsec@w3.org
CSP 1.1 specifies in Section 5:
"Note: User agents may allow users to modify or bypass policy enforcement
through user preferences, bookmarklets, third-party additions to the user
agent, and other such mechanisms."
In contrast, CSP 1.0 specifies in Section 3.3:
"Enforcing a CSP policy should not interfere with the operation of
user-supplied scripts such as third-party user-agent add-ons and JavaScript
bookmarklets."
and in Section 4.2:
"(The user agent should execute script contained in "bookmarklets" even when
enforcing this restriction.)"
In order to reduce confusion by authors and developers, the language in CSP 1.0
should be changed to match that in CSP 1.1: specifically, (1) replace the above
language cited from 3.3 with the note cited above in CSP1.1, and (2) remove the
parenthetical cited from 4.2.
This change does not impact conformance since CSP 1.0 casts the language in
terms of a recommendation (should) and not a mandatory (must) requirement.
Consequently, this change may made without requiring a new LC or CR.
--
You are receiving this mail because:
You are on the CC list for the bug.
Received on Wednesday, 11 June 2014 14:46:27 UTC