W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

RE: CfC: CSP2 to PR; deadline Aug 18th.

From: Mike West <mkwst@google.com>
Date: Mon, 17 Aug 2015 14:46:44 -0700
Message-ID: <CAKXHy=cbM+RFfui9EOQt2xjPE98aEuru62OcVwOV0Ldb0pFxJg@mail.gmail.com>
To: Crispin Cowan <crispin@microsoft.com>, Tanvi Vyas <tanvi@mozilla.com>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, Dan Veditz <dveditz@mozilla.com>
Cc: Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Jim Manico <jim.manico@owasp.org>
On Wed, Aug 12, 2015 at 3:14 PM, Brad Hill <hillbrad@gmail.com> wrote:

> Can someone from Mozilla or IE confirm that they intend to implement
> child-src?  As of the latest Firefox nightly, I still get console warnings
> that 'child-src' is an unknown directive.
>
Dan, Tanvi, and Christoph: can you follow up on Brad's question regarding
`child-src` in Firefox? I thought y'all had implemented that already; if
you haven't, then we might need to re-evaluate whether or not it should be
in CSP2. That would be disappointing, seeing as how Chrome has already
taken the compatibility hit, but if there are good reasons that it's not in
Firefox, we should chat. :)

On Aug 13, 2015 17:04, "Crispin Cowan" <crispin@microsoft.com> wrote:

> We are working on filling in our standards gaps, but CSP2 is not at the
> top of that queue.
>

Hey Crispin!

I hope that when putting together Edge's list of priorities you recognize
that CSP2 isn't a monolith. I'd suggest that it's possible for you to pull
out pieces that would have more impact than others, and implement those.

For instance, I'd note that Google properties are beginning to roll out
fairly pervasive support for path-based limitations, and beginning to use
nonces as opposed to relying on 'unsafe-inline'. Those features might be
worth spending time on supporting sooner rather than later.

-mike

>
Received on Monday, 17 August 2015 21:47:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC