Re: CfC: CSP2 to PR; deadline Aug 18th. from Brad Hill on 2015-08-12 (public-webappsec@w3.org from August 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 12 Aug 2015 22:14:58 +0000
To: Mike West <mkwst@google.com>, Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <CAEeYn8jAsxSJYp2USEmoGZC_xU=L0vC_2628FPV5Gcp5M4dWfw@mail.gmail.com>

Can someone from Mozilla or IE confirm that they intend to implement
child-src?  As of the latest Firefox nightly, I still get console warnings
that 'child-src' is an unknown directive.

On Tue, Aug 11, 2015 at 11:27 PM Mike West <mkwst@google.com> wrote:

> On Tue, Aug 11, 2015 at 5:44 PM, Brian Smith <brian@briansmith.org> wrote:
>
>> On Tue, Aug 11, 2015 at 3:29 AM, Mike West <mkwst@google.com> wrote:
>>
>>> 2. It drops the `CSP` header entirely. Chrome implemented it, and rolled
>>> it back due to unexpected interactions with CORS. No other browser
>>> implemented it (as far as I'm aware?). This feature was marked as "at
>>> risk", and as it's going to require more thought (
>>> https://github.com/whatwg/fetch/issues/52), I'd like to bump it to CSP3.
>>>
>>>
>> The spec should at least mention the privacy problem that the CSP request
>> header was supposed to help websites mitigate in its security/privacy
>> considerations section.
>>
>
> WDYT of
> https://github.com/w3c/webappsec/commit/5233fe8e75fd5b155135c6eca35fb48e685c14e5
> ?
>
> -mike
>

Received on Wednesday, 12 August 2015 22:15:36 UTC