W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: CfC: CSP2 to PR; deadline Aug 18th.

From: Mike West <mkwst@google.com>
Date: Tue, 11 Aug 2015 17:51:59 +0200
Message-ID: <CAKXHy=fmFyjsPbA=SJJnY3zFVzUm5pgWqZ62PV1ouYw=6dfQZw@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
You're entirely correct, Brian. Thanks. I'll add something.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Aug 11, 2015 at 5:44 PM, Brian Smith <brian@briansmith.org> wrote:

> On Tue, Aug 11, 2015 at 3:29 AM, Mike West <mkwst@google.com> wrote:
>
>> 2. It drops the `CSP` header entirely. Chrome implemented it, and rolled
>> it back due to unexpected interactions with CORS. No other browser
>> implemented it (as far as I'm aware?). This feature was marked as "at
>> risk", and as it's going to require more thought (
>> https://github.com/whatwg/fetch/issues/52), I'd like to bump it to CSP3.
>>
>>
> The spec should at least mention the privacy problem that the CSP request
> header was supposed to help websites mitigate in its security/privacy
> considerations section.
>
> Cheers,
> Brian
>
>
Received on Tuesday, 11 August 2015 15:52:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC