- From: Mike West <mkwst@google.com>
- Date: Fri, 6 Feb 2015 09:25:02 +0100
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Cc: Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
- Message-ID: <CAKXHy=cnXHF7S6OpL198JK=f_YNLiKi-3RttLzWZcF3SpvuROA@mail.gmail.com>
Pinging this thread; the CfC expires Monday. Thus far, the response has been less than inspiring. I hope that means that everyone is happy with the current state, and sick of talking about it. :) The only issue raised is IPv4/IPv6 in the grammar. Brian's suggested dropping it entirely. I'm a bit skeptical that we can do that, given that it's been out there for ~2 years. Any other issues folks have on their mind for CSP2? -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Tue, Jan 27, 2015 at 4:42 PM, Mike West <mkwst@google.com> wrote: > Hello, webappsecians! Since folks are meeting at AppSecCali tonight, it > seems like a good opportunity to give you things to talk about. :) > > A few months after Last Call, I think we're closing in on something > resembling agreement on CSP2. We might or might not actually be there; I'm > hoping this email will ensure that folks whose concerns I haven't addressed > will let me know about it. CCing Brian in particular, as his _excellent_ > feedback from November/December sparked many of the recent changes. Hi, > Brian! > > A complete list of relevant changes to the CSP2 spec since Last Call is up > at > https://github.com/w3c/webappsec/commits/master/specs/CSP2/index.src.html. > > The potentially contentious issue I'm aware of is the overarching question > of whether CSP is a purely negative control, or whether directives like > `referrer` and `reflected-xss` (which can arguably weaken a document's > default security settings) fits into the processing model. Brian has made a > strong case for dropping them (see the last two paragraphs in > https://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0150.html), > and I've marked both as "At Risk" in the CR draft. I wouldn't mind > deferring the specification of both to CSP3, though I very much want to > give folks like Twitter a mechanism to get redirectors like `t.co` fully > onto HTTPS (which `referrer` promises to do). Perhaps a compromise that > drops 'unsafe-url' but retains 'origin' would be a reasonable stopgap while > we hammer out Referrer Policy separately? > > Are there other issues which I've missed, or insufficiently addressed? > > Please read through > https://w3c.github.io/webappsec/specs/CSP2/published/2015-01-CR.html, and > send any comments on this or other topics to public-webappsec@w3.org. > Positive feedback is encouraged! > > This CfC will end with our next scheduled call, about two weeks from > yesterday, on February 9th, 2015. I think that should be enough time to > work things out. I hope. :) > > Thanks! > > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, > Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der > Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth > Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) >
Received on Friday, 6 February 2015 08:25:50 UTC