W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CfC to publish a LCWD of CSP 1.1

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 20 Jun 2014 10:55:59 -0700
Message-ID: <53A475AF.2010709@mozilla.com>
To: Mike West <mkwst@google.com>, Brad Hill <hillbrad@gmail.com>
CC: Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Sigbjørn Vik <sigbjorn@opera.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
On 6/20/2014 1:03 AM, Mike West wrote:
>   1) How long should the LC period be?   Dan pointed out that summer is
>   difficult to enlist people's time.  I suggested that perhaps we end LC
>   immediately before TPAC and we can use the session time there to
>   resolve any issues raised.
> 3.5 months is a long time, even during the summer.

I thought one month was too short, but I was thinking more like 8 weeks
would accommodate people. That way whether people take vacation early or
late in the summer they'll be around for at least part of LC. I don't
think we should wait until October.

> Blink has implementations of both these directives. If other vendors
> (Mozilla? Microsoft? Apple?) aren't interested, then we could certainly
> mark them as "at risk" (although I think it's premature, since we
> haven't yet issued a call for implementations). Perhaps folks from those
> browsers could weigh in?

reflected-xss wouldn't do anything in our browser since there's no xss
filter to turn off. We won't error if we encounter an unknown directive
so I guess we "support" it to that extent? Somehow I don't think that's
the kind of second implementation W3 is looking for.

-Dan Veditz
Received on Friday, 20 June 2014 17:56:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC