Edge is advertising itself as a "standards based browser" and more. I'm
disappointed to hear that IE/Edge has no near-term plans for CSP2.
Is it fair for a standards-based browser to not have near-term plans for
CSP2 or are other browsers on a more long-term plan to support CSP2 as well?
Aloha,
Jim
On 8/13/15 1:47 PM, Crispin Cowan wrote:
>
> IE/Edge have no near-term plans to implement CSP2.
>
> *From:*Brad Hill [mailto:hillbrad@gmail.com]
> *Sent:* Wednesday, August 12, 2015 3:15 PM
> *To:* Mike West <mkwst@google.com>; Brian Smith <brian@briansmith.org>
> *Cc:* public-webappsec@w3.org; Dan Veditz <dveditz@mozilla.com>; Wendy
> Seltzer <wseltzer@w3.org>
> *Subject:* Re: CfC: CSP2 to PR; deadline Aug 18th.
>
> Can someone from Mozilla or IE confirm that they intend to implement
> child-src? As of the latest Firefox nightly, I still get console
> warnings that 'child-src' is an unknown directive.
>
> On Tue, Aug 11, 2015 at 11:27 PM Mike West <mkwst@google.com
> <mailto:mkwst@google.com>> wrote:
>
> On Tue, Aug 11, 2015 at 5:44 PM, Brian Smith <brian@briansmith.org
> <mailto:brian@briansmith.org>> wrote:
>
> On Tue, Aug 11, 2015 at 3:29 AM, Mike West <mkwst@google.com
> <mailto:mkwst@google.com>> wrote:
>
> 2. It drops the `CSP` header entirely. Chrome implemented
> it, and rolled it back due to unexpected interactions with
> CORS. No other browser implemented it (as far as I'm
> aware?). This feature was marked as "at risk", and as it's
> going to require more thought
> (https://github.com/whatwg/fetch/issues/52), I'd like to
> bump it to CSP3.
>
> The spec should at least mention the privacy problem that the
> CSP request header was supposed to help websites mitigate in
> its security/privacy considerations section.
>
> WDYT of
> https://github.com/w3c/webappsec/commit/5233fe8e75fd5b155135c6eca35fb48e685c14e5?
>
> -mike
>
--
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!