W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [webappsec] Agenda for MONDAY Teleconference 2014-10-20, 12:00 PDT

From: Mike West <mkwst@google.com>
Date: Mon, 20 Oct 2014 17:39:08 +0200
Message-ID: <CAKXHy=dFjCK9u_6sEHdRX54UbNjsevf7YDkuyQQty-L_Rssy9Q@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brian Smith <brian@briansmith.org>
On Mon, Oct 20, 2014 at 5:09 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Mon, Oct 20, 2014 at 5:02 PM, Mike West <mkwst@google.com> wrote:
> > Point taken regarding hooks from Fetch. It's not clear to me what the
> best
> > way to manage that sort of thing is; do you already have ideas about how
> > you'd like such a hook to look?
>
> Something similar to what we have now. I pass you some objects, you
> return a boolean. (HSTS and REFERRER are harder of course. At least as
> long as we attempt to keep the hook from having side effects, which
> seems like a good thing.)
>

I was more curious about the ordering.

That is, does MIX or CSP happen first? In Chrome and Firefox, CSP happens
first so that you can use CSP's reporting mechanism to diagnose mixed
content issues. We should ensure that's specified somehow.

As long as there's one hook per spec, that's easy.


> (If you like to write small documents with lots of boilerplate over a
>

The boilerplate is mostly autogenerated. From a writing perspective, that's
no big deal.


> single document with multiple chapters, up to you I guess. I'd rather
>

Maybe I'm just a bad writer, but I think it'd be tough to sensibly combine
something like MIX and CSP conceptually. From a Fetch perspective, I
totally understand though: they both give you a "block this request or not"
signal, which is what you care about.


> review a single document on security-related policies. The alternative
> is finding the right links and hope I got them all and that they're
> all the latest, and is annoying at times.)
>

I think this is an argument for putting together an explainer document
(Service Worker has done well with
https://github.com/slightlyoff/ServiceWorker/blob/master/explainer.md) that
points to the various things you might care about when evaluating a page's
security policy, and linking to that document from various specs. I don't
see it as an argument for joining otherwise unrelated prose into a larger
document.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 20 October 2014 15:40:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC