RE: CfC: CSP2 to PR; deadline Aug 18th. from Crispin Cowan on 2015-08-14 (public-webappsec@w3.org from August 2015)

From: Crispin Cowan <crispin@microsoft.com>
Date: Fri, 14 Aug 2015 00:04:49 +0000
To: Jim Manico <jim.manico@owasp.org>, Brad Hill <hillbrad@gmail.com>, "Mike West" <mkwst@google.com>, Brian Smith <brian@briansmith.org>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <BN3PR0301MB12204FFA00D2808B25D43D0BBD7C0@BN3PR0301MB1220.namprd03.prod.outlook.>

We are working on filling in our standards gaps, but CSP2 is not at the top of that queue.

From: Jim Manico [mailto:jim.manico@owasp.org]
Sent: Thursday, August 13, 2015 4:57 PM
To: Crispin Cowan <crispin@microsoft.com>; Brad Hill <hillbrad@gmail.com>; Mike West <mkwst@google.com>; Brian Smith <brian@briansmith.org>
Cc: public-webappsec@w3.org; Dan Veditz <dveditz@mozilla.com>; Wendy Seltzer <wseltzer@w3.org>
Subject: Re: CfC: CSP2 to PR; deadline Aug 18th.

Edge is advertising itself as a "standards based browser" and more.  I'm disappointed to hear that IE/Edge has no near-term plans for CSP2.

Is it fair for a standards-based browser to not have near-term plans for CSP2 or are other browsers on a more long-term plan to support CSP2 as well?

Aloha,
Jim

On 8/13/15 1:47 PM, Crispin Cowan wrote:
IE/Edge have no near-term plans to implement CSP2.

From: Brad Hill [mailto:hillbrad@gmail.com]
Sent: Wednesday, August 12, 2015 3:15 PM
To: Mike West <mkwst@google.com><mailto:mkwst@google.com>; Brian Smith <brian@briansmith.org><mailto:brian@briansmith.org>
Cc: public-webappsec@w3.org<mailto:public-webappsec@w3.org>; Dan Veditz <dveditz@mozilla.com><mailto:dveditz@mozilla.com>; Wendy Seltzer <wseltzer@w3.org><mailto:wseltzer@w3.org>
Subject: Re: CfC: CSP2 to PR; deadline Aug 18th.

Can someone from Mozilla or IE confirm that they intend to implement child-src?  As of the latest Firefox nightly, I still get console warnings that 'child-src' is an unknown directive.

On Tue, Aug 11, 2015 at 11:27 PM Mike West <mkwst@google.com<mailto:mkwst@google.com>> wrote:
On Tue, Aug 11, 2015 at 5:44 PM, Brian Smith <brian@briansmith.org<mailto:brian@briansmith.org>> wrote:
On Tue, Aug 11, 2015 at 3:29 AM, Mike West <mkwst@google.com<mailto:mkwst@google.com>> wrote:
2. It drops the `CSP` header entirely. Chrome implemented it, and rolled it back due to unexpected interactions with CORS. No other browser implemented it (as far as I'm aware?). This feature was marked as "at risk", and as it's going to require more thought (https://github.com/whatwg/fetch/issues/52), I'd like to bump it to CSP3.

The spec should at least mention the privacy problem that the CSP request header was supposed to help websites mitigate in its security/privacy considerations section.

WDYT of https://github.com/w3c/webappsec/commit/5233fe8e75fd5b155135c6eca35fb48e685c14e5?

-mike

--

Jim Manico

Global Board Member

OWASP Foundation

https://www.owasp.org

Join me at AppSecUSA 2015!

Received on Friday, 14 August 2015 00:05:24 UTC