W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC approved: CSP Level 2 to Candidate Recommendation

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 10 Feb 2015 17:06:58 +0000
Message-ID: <CAEeYn8i16JZiFOWtn2viF-eA2D_iFXKocfCQjKwXwXWMobKLxg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>
Mike,

 As the Editor, I'm going to pre-emptively assume you are correct on these
points, and that I was doing poor thread archaeology in a rush.  My
apologies.

-Brad

On Mon Feb 09 2015 at 9:47:12 PM Mike West <mkwst@google.com> wrote:

> On Tue, Feb 10, 2015 at 12:50 AM, Brad Hill <hillbrad@gmail.com> wrote:
>
>> On today's call, we decided to approve the Call for Consensus to advance
>> CSP Level 2 to Candidate Recommendation.
>
>
> I've spun up
> https://w3c.github.io/webappsec/specs/CSP2/published/2015-02-CR.html,
> which doesn't _quite_ pass pubrules yet, but I think that's because
> pubrules is crazy. :)
>
>
>> We note the following issues of discussion and their resolution
>> (including  open objections):
>>
>> 1) IPv6 address syntax for source matching has been deferred to CSP Level
>> 3.  The lack of support for such does not prevent it being added in the
>> future in a compatible manner, but the group felt that lacking strong
>> interest and well-defined normalization routines for IPv6 at this time was
>> not sufficient cause to delay the advancement of CSP2.
>>
>
> I think we deferred IPv4 as well (with the explicit exception of
> `127.0.0.1`), as per Brian's suggestions in
> https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0103.html,
> right? I landed
> https://github.com/w3c/webappsec/commit/c39f73a5fd93dd68de228a2e8914734c8e14a16c
> earlier this morning; I'll revert it if I misunderstood what we agreed upon.
>
>
>> 2) The referrer policy directives have been moved to the Referrer Policy
>> spec and out of CSP, with no objections.
>>
>
> This was
> https://github.com/w3c/webappsec/commit/d8fee06f18d96ccd7cb6e8cbdf144878560459d5
> .
>
>
>> 3) The reflected-xss directive will remain, but be marked as "At Risk"
>> and will be removed post-CR if multiple interoperable implementations
>> cannot be demonstrated.
>>
>
> I actually thought we'd agreed to just defer this to CSP3. I landed
> https://github.com/w3c/webappsec/commit/6f89d89bd4965040b9ad30bb8b7ed0105fe4ae10
> earlier this morning to do just that. Again, if I misunderstood, I'll
> revert it.
>
> -mike
>
>>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
Received on Tuesday, 10 February 2015 17:07:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC