Re: CfC: CSP2 to PR; deadline Aug 18th.

On Tue, Aug 11, 2015 at 5:44 PM, Brian Smith <brian@briansmith.org> wrote:

> On Tue, Aug 11, 2015 at 3:29 AM, Mike West <mkwst@google.com> wrote:
>
>> 2. It drops the `CSP` header entirely. Chrome implemented it, and rolled
>> it back due to unexpected interactions with CORS. No other browser
>> implemented it (as far as I'm aware?). This feature was marked as "at
>> risk", and as it's going to require more thought (
>> https://github.com/whatwg/fetch/issues/52), I'd like to bump it to CSP3.
>>
>>
> The spec should at least mention the privacy problem that the CSP request
> header was supposed to help websites mitigate in its security/privacy
> considerations section.
>

WDYT of
https://github.com/w3c/webappsec/commit/5233fe8e75fd5b155135c6eca35fb48e685c14e5
?

-mike

Received on Wednesday, 12 August 2015 06:28:35 UTC