RE: CfC: CSP2 to PR; deadline Aug 18th. from Crispin Cowan on 2015-08-13 (public-webappsec@w3.org from August 2015)

From: Crispin Cowan <crispin@microsoft.com>
Date: Thu, 13 Aug 2015 23:47:59 +0000
To: Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>, Brian Smith <brian@briansmith.org>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <BN3PR0301MB1220B4DBE9748B967C05179CBD7D0@BN3PR0301MB1220.namprd03.prod.outlook.>

IE/Edge have no near-term plans to implement CSP2.

From: Brad Hill [mailto:hillbrad@gmail.com]
Sent: Wednesday, August 12, 2015 3:15 PM
To: Mike West <mkwst@google.com>; Brian Smith <brian@briansmith.org>
Cc: public-webappsec@w3.org; Dan Veditz <dveditz@mozilla.com>; Wendy Seltzer <wseltzer@w3.org>
Subject: Re: CfC: CSP2 to PR; deadline Aug 18th.

Can someone from Mozilla or IE confirm that they intend to implement child-src?  As of the latest Firefox nightly, I still get console warnings that 'child-src' is an unknown directive.

On Tue, Aug 11, 2015 at 11:27 PM Mike West <mkwst@google.com<mailto:mkwst@google.com>> wrote:
On Tue, Aug 11, 2015 at 5:44 PM, Brian Smith <brian@briansmith.org<mailto:brian@briansmith.org>> wrote:
On Tue, Aug 11, 2015 at 3:29 AM, Mike West <mkwst@google.com<mailto:mkwst@google.com>> wrote:
2. It drops the `CSP` header entirely. Chrome implemented it, and rolled it back due to unexpected interactions with CORS. No other browser implemented it (as far as I'm aware?). This feature was marked as "at risk", and as it's going to require more thought (https://github.com/whatwg/fetch/issues/52), I'd like to bump it to CSP3.

The spec should at least mention the privacy problem that the CSP request header was supposed to help websites mitigate in its security/privacy considerations section.

WDYT of https://github.com/w3c/webappsec/commit/5233fe8e75fd5b155135c6eca35fb48e685c14e5?

-mike

Received on Thursday, 13 August 2015 23:48:29 UTC