W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC approved: CSP Level 2 to Candidate Recommendation

From: Mike West <mkwst@google.com>
Date: Tue, 10 Feb 2015 06:46:50 +0100
Message-ID: <CAKXHy=cj-9mFpKNP08RHLTHd6rB0VM3sqqfj82w4XaQq2Z9BzQ@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>
On Tue, Feb 10, 2015 at 12:50 AM, Brad Hill <hillbrad@gmail.com> wrote:

> On today's call, we decided to approve the Call for Consensus to advance
> CSP Level 2 to Candidate Recommendation.

I've spun up
https://w3c.github.io/webappsec/specs/CSP2/published/2015-02-CR.html, which
doesn't _quite_ pass pubrules yet, but I think that's because pubrules is
crazy. :)

> We note the following issues of discussion and their resolution (including
>  open objections):
> 1) IPv6 address syntax for source matching has been deferred to CSP Level
> 3.  The lack of support for such does not prevent it being added in the
> future in a compatible manner, but the group felt that lacking strong
> interest and well-defined normalization routines for IPv6 at this time was
> not sufficient cause to delay the advancement of CSP2.

I think we deferred IPv4 as well (with the explicit exception of
``), as per Brian's suggestions in
right? I landed
earlier this morning; I'll revert it if I misunderstood what we agreed upon.

> 2) The referrer policy directives have been moved to the Referrer Policy
> spec and out of CSP, with no objections.

This was

> 3) The reflected-xss directive will remain, but be marked as "At Risk" and
> will be removed post-CR if multiple interoperable implementations cannot be
> demonstrated.

I actually thought we'd agreed to just defer this to CSP3. I landed
earlier this morning to do just that. Again, if I misunderstood, I'll
revert it.


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 10 February 2015 05:47:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC