1. Is 8 weeks an acceptable timeline for the WG? If so, I'll whip up a LCWD
document and hand it over for publication.
2. I'm happy to mark reflected-xss as at risk; if Microsoft or Apple agrees
that it's a reasonable thing to implement, wonderful. If not, then it'll be
no less proprietary than the 'X-XSS-Protection' header it's trying to
replace.
-mike
--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
On Fri, Jun 20, 2014 at 7:55 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 6/20/2014 1:03 AM, Mike West wrote:
> > 1) How long should the LC period be? Dan pointed out that summer is
> > difficult to enlist people's time. I suggested that perhaps we end LC
> > immediately before TPAC and we can use the session time there to
> > resolve any issues raised.
> >
> > 3.5 months is a long time, even during the summer.
>
> I thought one month was too short, but I was thinking more like 8 weeks
> would accommodate people. That way whether people take vacation early or
> late in the summer they'll be around for at least part of LC. I don't
> think we should wait until October.
>
> > Blink has implementations of both these directives. If other vendors
> > (Mozilla? Microsoft? Apple?) aren't interested, then we could certainly
> > mark them as "at risk" (although I think it's premature, since we
> > haven't yet issued a call for implementations). Perhaps folks from those
> > browsers could weigh in?
>
> reflected-xss wouldn't do anything in our browser since there's no xss
> filter to turn off. We won't error if we encounter an unknown directive
> so I guess we "support" it to that extent? Somehow I don't think that's
> the kind of second implementation W3 is looking for.
>
> -Dan Veditz
>