- From: Brad Hill <hillbrad@gmail.com>
- Date: Tue, 10 Feb 2015 17:06:58 +0000
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>
- Message-ID: <CAEeYn8i16JZiFOWtn2viF-eA2D_iFXKocfCQjKwXwXWMobKLxg@mail.gmail.com>
Mike, As the Editor, I'm going to pre-emptively assume you are correct on these points, and that I was doing poor thread archaeology in a rush. My apologies. -Brad On Mon Feb 09 2015 at 9:47:12 PM Mike West <mkwst@google.com> wrote: > On Tue, Feb 10, 2015 at 12:50 AM, Brad Hill <hillbrad@gmail.com> wrote: > >> On today's call, we decided to approve the Call for Consensus to advance >> CSP Level 2 to Candidate Recommendation. > > > I've spun up > https://w3c.github.io/webappsec/specs/CSP2/published/2015-02-CR.html, > which doesn't _quite_ pass pubrules yet, but I think that's because > pubrules is crazy. :) > > >> We note the following issues of discussion and their resolution >> (including open objections): >> >> 1) IPv6 address syntax for source matching has been deferred to CSP Level >> 3. The lack of support for such does not prevent it being added in the >> future in a compatible manner, but the group felt that lacking strong >> interest and well-defined normalization routines for IPv6 at this time was >> not sufficient cause to delay the advancement of CSP2. >> > > I think we deferred IPv4 as well (with the explicit exception of > `127.0.0.1`), as per Brian's suggestions in > https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0103.html, > right? I landed > https://github.com/w3c/webappsec/commit/c39f73a5fd93dd68de228a2e8914734c8e14a16c > earlier this morning; I'll revert it if I misunderstood what we agreed upon. > > >> 2) The referrer policy directives have been moved to the Referrer Policy >> spec and out of CSP, with no objections. >> > > This was > https://github.com/w3c/webappsec/commit/d8fee06f18d96ccd7cb6e8cbdf144878560459d5 > . > > >> 3) The reflected-xss directive will remain, but be marked as "At Risk" >> and will be removed post-CR if multiple interoperable implementations >> cannot be demonstrated. >> > > I actually thought we'd agreed to just defer this to CSP3. I landed > https://github.com/w3c/webappsec/commit/6f89d89bd4965040b9ad30bb8b7ed0105fe4ae10 > earlier this morning to do just that. Again, if I misunderstood, I'll > revert it. > > -mike > >> > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, > Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der > Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth > Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) >
Received on Tuesday, 10 February 2015 17:07:30 UTC