Re: [CSP2] Re: CR: Content Security Policy Level 2

Thanks, Brad! And thanks for the careful review, timeless!

On Fri, Aug 28, 2015 at 3:07 AM, Brad Hill <hillbrad@gmail.com> wrote:

> PR addressing much of this at:
>
> https://github.com/w3c/webappsec/pull/462
>
> Unaddressed issues from the review:
>
> * Fancy quotes.  I live in fear of the question box for fancy quotes, so
> not going to touch this one.
>

This looks like a Bikeshed bug more than anything else. My impression is
that support for entity-encoded smart quotes is solid cross-browser. I'll
look into it next week when I'm back at the office.


> * Pluggable matching algorithm for unique identifier schemes
>

I think this ought to be using the "local scheme" definition from URL (
https://url.spec.whatwg.org/#local-scheme). I don't think making it
pluggable is the right way to go, and browser-internal schemes are somewhat
outside the scope of this document.

That said, Chrome explicitly whitelists `chrome-extension:` URLs; they
bypass CSP entirely. I'd love to recommend that other vendors do the same,
but that seems to lead back into the exciting land of formal objections
from Cox that we resolved a long time ago. I'm going to reopen that can of
worms in CSP3 (sorry in advance, Brad!), but I think it's done for CSP2.

* Java mime-type matching (please, can the Java plugin just die already?)
>

We just dropped support for `<applet>` in Chrome; I guess I'm disinclined
to add `x-java-vm` and `x-java-bean` unless there's a real need. I suspect
there isn't.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)