- From: Mike West <mkwst@google.com>
- Date: Tue, 10 Feb 2015 06:46:50 +0100
- To: Brad Hill <hillbrad@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>
- Message-ID: <CAKXHy=cj-9mFpKNP08RHLTHd6rB0VM3sqqfj82w4XaQq2Z9BzQ@mail.gmail.com>
On Tue, Feb 10, 2015 at 12:50 AM, Brad Hill <hillbrad@gmail.com> wrote: > On today's call, we decided to approve the Call for Consensus to advance > CSP Level 2 to Candidate Recommendation. I've spun up https://w3c.github.io/webappsec/specs/CSP2/published/2015-02-CR.html, which doesn't _quite_ pass pubrules yet, but I think that's because pubrules is crazy. :) > We note the following issues of discussion and their resolution (including > open objections): > > 1) IPv6 address syntax for source matching has been deferred to CSP Level > 3. The lack of support for such does not prevent it being added in the > future in a compatible manner, but the group felt that lacking strong > interest and well-defined normalization routines for IPv6 at this time was > not sufficient cause to delay the advancement of CSP2. > I think we deferred IPv4 as well (with the explicit exception of `127.0.0.1`), as per Brian's suggestions in https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0103.html, right? I landed https://github.com/w3c/webappsec/commit/c39f73a5fd93dd68de228a2e8914734c8e14a16c earlier this morning; I'll revert it if I misunderstood what we agreed upon. > 2) The referrer policy directives have been moved to the Referrer Policy > spec and out of CSP, with no objections. > This was https://github.com/w3c/webappsec/commit/d8fee06f18d96ccd7cb6e8cbdf144878560459d5 . > 3) The reflected-xss directive will remain, but be marked as "At Risk" and > will be removed post-CR if multiple interoperable implementations cannot be > demonstrated. > I actually thought we'd agreed to just defer this to CSP3. I landed https://github.com/w3c/webappsec/commit/6f89d89bd4965040b9ad30bb8b7ed0105fe4ae10 earlier this morning to do just that. Again, if I misunderstood, I'll revert it. -mike > -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 10 February 2015 05:47:39 UTC