W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2014

Re: CSP Spec question

From: Mike West <mkwst@google.com>
Date: Wed, 28 May 2014 14:19:44 +0200
Message-ID: <CAKXHy=dAFnejHhQW_REbLC_web9txm7hTZu+Q5GcLH=FH8PMrQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mike@mikewest.org>, WebAppSec WG <public-webappsec@w3.org>, Adam Gray <adam@trackif.com>
On Wed, May 28, 2014 at 1:08 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> I'm not sure I agree with that. If that were true, Chrome would not be
> trying to move away from NPAPI, Safari would support Flash and other
> plugins on iOS, etc. We certainly have defined some things around
> plugins, but they are mostly a black box still and everyone hopes to
> move away from them just like Apple did.
>

Oh, I cannot wait for NPAPI to die. But until it does, we should define
some things around the outlines of the big black hole they leave in the
platform.

I don't like sync XHR either, but that doesn't mean that I don't think it
should be in the spec if it's widely supported and used.


> There may be disagreement, but that's the role standards have taken to
> date. We don't run conformance test suites of standards on browsers
> plus their myriad of extensions. Or on custom builds of browsers some
> set of users decided to start using (same as extensions). None of that
> seems tenable either, so I'm not sure why there would be disagreement.
>

I'd agree with you that MUST-level requirements would be both difficult to
test and to enforce. SHOULD-level recommendations, however, seem quite
valuable.

Especially for standards like CSP which have a cross-cutting impact on the
way websites function, it's important for us to help user agent
implementers understand the potential impact of the spec on the extension
systems they've created, and to guide them towards implementations we see
as correctly balancing potentially competing claims. The "should CSP block
extensions" discussion and subsequent compromise from a few weeks back is
an exemplary example of us doing a bad job of that (IMO).

-mike
Received on Wednesday, 28 May 2014 12:20:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC