Re: CfC: CSP2 to PR; deadline Aug 18th. from Daniel Veditz on 2015-08-21 (public-webappsec@w3.org from August 2015)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 20 Aug 2015 20:15:51 -0700
To: Brad Hill <hillbrad@gmail.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <CADYDTCDwL3_HFZ73VhKOU=50JU1kbCFTqmGwFFPh+3bqAmc2OQ@mail.gmail.com>

At this point I can now say that Mozilla intends to implement child-src.
-Dan Veditz

On Wed, Aug 12, 2015 at 3:14 PM, Brad Hill <hillbrad@gmail.com> wrote:

> Can someone from Mozilla or IE confirm that they intend to implement
> child-src?  As of the latest Firefox nightly, I still get console warnings
> that 'child-src' is an unknown directive.
>
> On Tue, Aug 11, 2015 at 11:27 PM Mike West <mkwst@google.com> wrote:
>
>> On Tue, Aug 11, 2015 at 5:44 PM, Brian Smith <brian@briansmith.org>
>> wrote:
>>
>>> On Tue, Aug 11, 2015 at 3:29 AM, Mike West <mkwst@google.com> wrote:
>>>
>>>> 2. It drops the `CSP` header entirely. Chrome implemented it, and
>>>> rolled it back due to unexpected interactions with CORS. No other browser
>>>> implemented it (as far as I'm aware?). This feature was marked as "at
>>>> risk", and as it's going to require more thought (
>>>> https://github.com/whatwg/fetch/issues/52), I'd like to bump it to
>>>> CSP3.
>>>>
>>>>
>>> The spec should at least mention the privacy problem that the CSP
>>> request header was supposed to help websites mitigate in its
>>> security/privacy considerations section.
>>>
>>
>> WDYT of
>> https://github.com/w3c/webappsec/commit/5233fe8e75fd5b155135c6eca35fb48e685c14e5
>> ?
>>
>> -mike
>>
>

Received on Friday, 21 August 2015 03:16:21 UTC