W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC approved: CSP Level 2 to Candidate Recommendation

From: Mike West <mkwst@google.com>
Date: Tue, 10 Feb 2015 06:46:50 +0100
Message-ID: <CAKXHy=cj-9mFpKNP08RHLTHd6rB0VM3sqqfj82w4XaQq2Z9BzQ@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>
On Tue, Feb 10, 2015 at 12:50 AM, Brad Hill <hillbrad@gmail.com> wrote:

> On today's call, we decided to approve the Call for Consensus to advance
> CSP Level 2 to Candidate Recommendation.


I've spun up
https://w3c.github.io/webappsec/specs/CSP2/published/2015-02-CR.html, which
doesn't _quite_ pass pubrules yet, but I think that's because pubrules is
crazy. :)


> We note the following issues of discussion and their resolution (including
>  open objections):
>
> 1) IPv6 address syntax for source matching has been deferred to CSP Level
> 3.  The lack of support for such does not prevent it being added in the
> future in a compatible manner, but the group felt that lacking strong
> interest and well-defined normalization routines for IPv6 at this time was
> not sufficient cause to delay the advancement of CSP2.
>

I think we deferred IPv4 as well (with the explicit exception of
`127.0.0.1`), as per Brian's suggestions in
https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0103.html,
right? I landed
https://github.com/w3c/webappsec/commit/c39f73a5fd93dd68de228a2e8914734c8e14a16c
earlier this morning; I'll revert it if I misunderstood what we agreed upon.


> 2) The referrer policy directives have been moved to the Referrer Policy
> spec and out of CSP, with no objections.
>

This was
https://github.com/w3c/webappsec/commit/d8fee06f18d96ccd7cb6e8cbdf144878560459d5
.


> 3) The reflected-xss directive will remain, but be marked as "At Risk" and
> will be removed post-CR if multiple interoperable implementations cannot be
> demonstrated.
>

I actually thought we'd agreed to just defer this to CSP3. I landed
https://github.com/w3c/webappsec/commit/6f89d89bd4965040b9ad30bb8b7ed0105fe4ae10
earlier this morning to do just that. Again, if I misunderstood, I'll
revert it.

-mike

>
--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 10 February 2015 05:47:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC