W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC: Transition CSP2 to CR.

From: Mike West <mkwst@google.com>
Date: Fri, 6 Feb 2015 09:25:02 +0100
Message-ID: <CAKXHy=cnXHF7S6OpL198JK=f_YNLiKi-3RttLzWZcF3SpvuROA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
Pinging this thread; the CfC expires Monday. Thus far, the response has
been less than inspiring. I hope that means that everyone is happy with the
current state, and sick of talking about it. :)

The only issue raised is IPv4/IPv6 in the grammar. Brian's suggested
dropping it entirely. I'm a bit skeptical that we can do that, given that
it's been out there for ~2 years.

Any other issues folks have on their mind for CSP2?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Jan 27, 2015 at 4:42 PM, Mike West <mkwst@google.com> wrote:

> Hello, webappsecians! Since folks are meeting at AppSecCali tonight, it
> seems like a good opportunity to give you things to talk about. :)
>
> A few months after Last Call, I think we're closing in on something
> resembling agreement on CSP2. We might or might not actually be there; I'm
> hoping this email will ensure that folks whose concerns I haven't addressed
> will let me know about it. CCing Brian in particular, as his _excellent_
> feedback from November/December sparked many of the recent changes. Hi,
> Brian!
>
> A complete list of relevant changes to the CSP2 spec since Last Call is up
> at
> https://github.com/w3c/webappsec/commits/master/specs/CSP2/index.src.html.
>
> The potentially contentious issue I'm aware of is the overarching question
> of whether CSP is a purely negative control, or whether directives like
> `referrer` and `reflected-xss` (which can arguably weaken a document's
> default security settings) fits into the processing model. Brian has made a
> strong case for dropping them (see the last two paragraphs in
> https://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0150.html),
> and I've marked both as "At Risk" in the CR draft. I wouldn't mind
> deferring the specification of both to CSP3, though I very much want to
> give folks like Twitter a mechanism to get redirectors like `t.co` fully
> onto HTTPS (which `referrer` promises to do). Perhaps a compromise that
> drops 'unsafe-url' but retains 'origin' would be a reasonable stopgap while
> we hammer out Referrer Policy separately?
>
> Are there other issues which I've missed, or insufficiently addressed?
>
> Please read through
> https://w3c.github.io/webappsec/specs/CSP2/published/2015-01-CR.html, and
> send any comments on this or other topics to public-webappsec@w3.org.
> Positive feedback is encouraged!
>
> This CfC will end with our next scheduled call, about two weeks from
> yesterday, on February 9th, 2015. I think that should be enough time to
> work things out. I hope. :)
>
> Thanks!
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
Received on Friday, 6 February 2015 08:25:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC