CfC: CSP2 to PR; deadline Aug 18th. from Mike West on 2015-08-11 (public-webappsec@w3.org from August 2015)

From: Mike West <mkwst@google.com>
Date: Tue, 11 Aug 2015 09:29:05 +0200
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <CAKXHy=c0+R18DbuKQeTU1A3Cvz-a57ko2fFFGfx97CioX5zS8Q@mail.gmail.com>

Hello, WebAppSec!

CSP2 (http://www.w3.org/TR/CSP2/) was republished as a Candidate
Recommendation on July 21st after resolving issues with the first CR (as
documented in
https://lists.w3.org/Archives/Public/public-webappsec/2015Jul/0007.html).
The current patent exclusion period expires on September 19th (
https://lists.w3.org/Archives/Public/public-webappsec/2015Jul/0156.html).

In the CR, we suggested that a transition to proposed recommendation could
be possible after a comment period extending through August 21st. As that
date is rapidly approaching, this is a Call for Consensus to transition to
Proposed Recommendation with the document at:

https://w3c.github.io/webappsec/specs/CSP2/published/2015-08-PR.html

This document is substantially identical to the CR, with the following
normative changes:

1. It drops the "at risk" note for `child-src` (retaining the feature).

2. It drops the `CSP` header entirely. Chrome implemented it, and rolled it
back due to unexpected interactions with CORS. No other browser implemented
it (as far as I'm aware?). This feature was marked as "at risk", and as
it's going to require more thought (
https://github.com/whatwg/fetch/issues/52), I'd like to bump it to CSP3.

Between Chrome, Opera, Firefox, Safari, and Edge, I believe we have
substantial-enough overlap on the feature set to move forward fairly
rapidly after the August 21st comment period for the CR (assuming no one
comments by then (which seems like a pretty reasonable assumption at this
point)).

If you have comments or concerns regarding this CfC, please reply to
public-webappsec@w3.org by the end of Aug 18th. As always, explicitly
positive responses to the list are encouraged. :)

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Tuesday, 11 August 2015 07:29:53 UTC