CfC approved: CSP Level 2 to Candidate Recommendation from Brad Hill on 2015-02-09 (public-webappsec@w3.org from February 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 09 Feb 2015 23:50:06 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <CAEeYn8jDCzdK5xZEddet=06eosp_xDFRSxTHeX2WtFngF+vU_w@mail.gmail.com>

On today's call, we decided to approve the Call for Consensus to advance
CSP Level 2 to Candidate Recommendation.

We note the following issues of discussion and their resolution (including
 open objections):

1) IPv6 address syntax for source matching has been deferred to CSP Level
3.  The lack of support for such does not prevent it being added in the
future in a compatible manner, but the group felt that lacking strong
interest and well-defined normalization routines for IPv6 at this time was
not sufficient cause to delay the advancement of CSP2.

2) The referrer policy directives have been moved to the Referrer Policy
spec and out of CSP, with no objections.

3) The reflected-xss directive will remain, but be marked as "At Risk" and
will be removed post-CR if multiple interoperable implementations cannot be
demonstrated.

4) Unicode support will remain an open topic for CSP3, but as with IPv6,
the consensus was that current demand does not merit delaying advancement
of CSP2.

5) Nonce semantics will remain as currently defined.  Objections are noted,
but given that the semantics of this feature were cemented some time ago
and it already has a deployed base of users as it was made available in
both Chrome and Firefox implementations in advance of the Level 2 spec
becoming final there was not sufficient consensus to overturn that decision
and disrupt deployed de-facto practice.  There are acknowledged ways in
which nonce is less secure than alternative practices; these are mostly
by-design affordances for existing applications that otherwise could not
use CSP at all.

Draft minutes of the teleconference are available at:
http://www.w3.org/2011/webappsec/draft-minutes/2015-02-09-webappsec-minutes.html

If anyone feels I have improperly reflected the consensus, please let me
know and submit corrections to the meeting minutes as necessary.

Wendy, will you please schedule a call with the Chairs and the Director or
his designate to approve the transition request?

Thank you,

Brad Hill

Received on Monday, 9 February 2015 23:50:34 UTC