W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: CfC: CSP2 to PR; deadline Aug 18th.

From: Jim Manico <jim.manico@owasp.org>
Date: Thu, 13 Aug 2015 13:56:40 -1000
To: Crispin Cowan <crispin@microsoft.com>, Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>, Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <55CD2EB8.6070000@owasp.org>
Edge is advertising itself as a "standards based browser" and more. I'm 
disappointed to hear that IE/Edge has no near-term plans for CSP2.

Is it fair for a standards-based browser to not have near-term plans for 
CSP2 or are other browsers on a more long-term plan to support CSP2 as well?


On 8/13/15 1:47 PM, Crispin Cowan wrote:
> IE/Edge have no near-term plans to implement CSP2.
> *From:*Brad Hill [mailto:hillbrad@gmail.com]
> *Sent:* Wednesday, August 12, 2015 3:15 PM
> *To:* Mike West <mkwst@google.com>; Brian Smith <brian@briansmith.org>
> *Cc:* public-webappsec@w3.org; Dan Veditz <dveditz@mozilla.com>; Wendy 
> Seltzer <wseltzer@w3.org>
> *Subject:* Re: CfC: CSP2 to PR; deadline Aug 18th.
> Can someone from Mozilla or IE confirm that they intend to implement 
> child-src?  As of the latest Firefox nightly, I still get console 
> warnings that 'child-src' is an unknown directive.
> On Tue, Aug 11, 2015 at 11:27 PM Mike West <mkwst@google.com 
> <mailto:mkwst@google.com>> wrote:
>     On Tue, Aug 11, 2015 at 5:44 PM, Brian Smith <brian@briansmith.org
>     <mailto:brian@briansmith.org>> wrote:
>         On Tue, Aug 11, 2015 at 3:29 AM, Mike West <mkwst@google.com
>         <mailto:mkwst@google.com>> wrote:
>             2. It drops the `CSP` header entirely. Chrome implemented
>             it, and rolled it back due to unexpected interactions with
>             CORS. No other browser implemented it (as far as I'm
>             aware?). This feature was marked as "at risk", and as it's
>             going to require more thought
>             (https://github.com/whatwg/fetch/issues/52), I'd like to
>             bump it to CSP3.
>         The spec should at least mention the privacy problem that the
>         CSP request header was supposed to help websites mitigate in
>         its security/privacy considerations section.
>     WDYT of
>     https://github.com/w3c/webappsec/commit/5233fe8e75fd5b155135c6eca35fb48e685c14e5?
>     -mike

Jim Manico
Global Board Member
OWASP Foundation
Join me at AppSecUSA 2015!
Received on Thursday, 13 August 2015 23:57:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC