W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CfC to publish a LCWD of CSP 1.1

From: Mike West <mkwst@google.com>
Date: Tue, 24 Jun 2014 16:12:35 +0200
Message-ID: <CAKXHy=fAeq=AbKoGQ8zS17DF8dK5LpAz7TewW3wY55dpcvbL6Q@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Brad Hill <hillbrad@gmail.com>, Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Sigbjørn Vik <sigbjorn@opera.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
I've put up
http://w3c.github.io/webappsec/specs/content-security-policy/published/2014-06-24-CSP-2-LCWD.html
with an 8-week deadline (13th of August), the "level 2" rename, and
'reflected-xss' and 'referrer' marked as 'at risk'.

Brad, Dan, and Wendy, could you kick off the LC publication process?

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Tue, Jun 24, 2014 at 8:29 AM, Mike West <mkwst@google.com> wrote:

> 1. Is 8 weeks an acceptable timeline for the WG? If so, I'll whip up a
> LCWD document and hand it over for publication.
>
> 2. I'm happy to mark reflected-xss as at risk; if Microsoft or Apple
> agrees that it's a reasonable thing to implement, wonderful. If not, then
> it'll be no less proprietary than the 'X-XSS-Protection' header it's trying
> to replace.
>
> -mike
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
>
> On Fri, Jun 20, 2014 at 7:55 PM, Daniel Veditz <dveditz@mozilla.com>
> wrote:
>
>> On 6/20/2014 1:03 AM, Mike West wrote:
>> >   1) How long should the LC period be?   Dan pointed out that summer is
>> >   difficult to enlist people's time.  I suggested that perhaps we end LC
>> >   immediately before TPAC and we can use the session time there to
>> >   resolve any issues raised.
>> >
>> > 3.5 months is a long time, even during the summer.
>>
>> I thought one month was too short, but I was thinking more like 8 weeks
>> would accommodate people. That way whether people take vacation early or
>> late in the summer they'll be around for at least part of LC. I don't
>> think we should wait until October.
>>
>> > Blink has implementations of both these directives. If other vendors
>> > (Mozilla? Microsoft? Apple?) aren't interested, then we could certainly
>> > mark them as "at risk" (although I think it's premature, since we
>> > haven't yet issued a call for implementations). Perhaps folks from those
>> > browsers could weigh in?
>>
>> reflected-xss wouldn't do anything in our browser since there's no xss
>> filter to turn off. We won't error if we encounter an unknown directive
>> so I guess we "support" it to that extent? Somehow I don't think that's
>> the kind of second implementation W3 is looking for.
>>
>> -Dan Veditz
>>
>
>
Received on Tuesday, 24 June 2014 14:13:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC