Re: CfC: CSP2 to PR; deadline Aug 18th. from Brian Smith on 2015-08-11 (public-webappsec@w3.org from August 2015)

From: Brian Smith <brian@briansmith.org>
Date: Tue, 11 Aug 2015 11:44:50 -0400
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <CAFewVt69N+GH8txnhTU-tg4KKcndNnuPEqpG3OYoMUS_F2EHUQ@mail.gmail.com>

On Tue, Aug 11, 2015 at 3:29 AM, Mike West <mkwst@google.com> wrote:

> 2. It drops the `CSP` header entirely. Chrome implemented it, and rolled
> it back due to unexpected interactions with CORS. No other browser
> implemented it (as far as I'm aware?). This feature was marked as "at
> risk", and as it's going to require more thought (
> https://github.com/whatwg/fetch/issues/52), I'd like to bump it to CSP3.
>
>
The spec should at least mention the privacy problem that the CSP request
header was supposed to help websites mitigate in its security/privacy
considerations section.

Cheers,
Brian

Received on Tuesday, 11 August 2015 15:45:18 UTC