- From: Hill, Brad <bhill@paypal.com>
- Date: Tue, 24 Jun 2014 20:50:01 +0000
- To: Mike West <mkwst@google.com>
- CC: "Daniel Veditz <dveditz@mozilla. com>" <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Sigbjørn Vik <sigbjorn@opera.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
If we're going to do this as "Level 2", which seems like consensus, we should also do a shortname change from "CSP11" to "CSP2". Wendy - can this be simultaneous with the LCWD transition request, or do we need to get the shortname change approved first, then the transition? -Brad On Jun 24, 2014, at 7:12 AM, Mike West <mkwst@google.com> wrote: > I've put up http://w3c.github.io/webappsec/specs/content-security-policy/published/2014-06-24-CSP-2-LCWD.html with an 8-week deadline (13th of August), the "level 2" rename, and 'reflected-xss' and 'referrer' marked as 'at risk'. > > Brad, Dan, and Wendy, could you kick off the LC publication process? > > -mike > > -- > Mike West <mkwst@google.com> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) > > > On Tue, Jun 24, 2014 at 8:29 AM, Mike West <mkwst@google.com> wrote: > 1. Is 8 weeks an acceptable timeline for the WG? If so, I'll whip up a LCWD document and hand it over for publication. > > 2. I'm happy to mark reflected-xss as at risk; if Microsoft or Apple agrees that it's a reasonable thing to implement, wonderful. If not, then it'll be no less proprietary than the 'X-XSS-Protection' header it's trying to replace. > > -mike > > -- > Mike West <mkwst@google.com> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) > > > On Fri, Jun 20, 2014 at 7:55 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 6/20/2014 1:03 AM, Mike West wrote: > > 1) How long should the LC period be? Dan pointed out that summer is > > difficult to enlist people's time. I suggested that perhaps we end LC > > immediately before TPAC and we can use the session time there to > > resolve any issues raised. > > > > 3.5 months is a long time, even during the summer. > > I thought one month was too short, but I was thinking more like 8 weeks > would accommodate people. That way whether people take vacation early or > late in the summer they'll be around for at least part of LC. I don't > think we should wait until October. > > > Blink has implementations of both these directives. If other vendors > > (Mozilla? Microsoft? Apple?) aren't interested, then we could certainly > > mark them as "at risk" (although I think it's premature, since we > > haven't yet issued a call for implementations). Perhaps folks from those > > browsers could weigh in? > > reflected-xss wouldn't do anything in our browser since there's no xss > filter to turn off. We won't error if we encounter an unknown directive > so I guess we "support" it to that extent? Somehow I don't think that's > the kind of second implementation W3 is looking for. > > -Dan Veditz > >
Received on Tuesday, 24 June 2014 20:50:33 UTC