Re: CfC approved: CSP Level 2 to Candidate Recommendation from Brian Smith on 2015-02-11 (public-webappsec@w3.org from February 2015)

From: Brian Smith <brian@briansmith.org>
Date: Wed, 11 Feb 2015 04:08:35 -0800
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <CAFewVt6VG2TbKvt_zO4gt4+ged8iAOREtL-sLDFt6o7mBanoiQ@mail.gmail.com>

Mike West <mkwst@google.com> wrote:
> Brad Hill <hillbrad@gmail.com> wrote:
>> On today's call, we decided to approve the Call for Consensus to advance
>> CSP Level 2 to Candidate Recommendation.
>
> I've spun up
> https://w3c.github.io/webappsec/specs/CSP2/published/2015-02-CR.html, which
> doesn't _quite_ pass pubrules yet, but I think that's because pubrules is
> crazy. :)
>
>> We note the following issues of discussion and their resolution (including
>> open objections):
>>
>> 1) IPv6 address syntax for source matching has been deferred to CSP Level
>> 3.
<snip>
> I think we deferred IPv4 as well (with the explicit exception of
> `127.0.0.1`)
>
>> 2) The referrer policy directives have been moved to the Referrer Policy
>> spec and out of CSP, with no objections.
>
>> 3) The reflected-xss directive will remain, but be marked as "At Risk" and
>> will be removed post-CR if multiple interoperable implementations cannot be
>> demonstrated.
>
> I actually thought we'd agreed to just defer this to CSP3. I landed
> https://github.com/w3c/webappsec/commit/6f89d89bd4965040b9ad30bb8b7ed0105fe4ae10
> earlier this morning to do just that. Again, if I misunderstood, I'll revert
> it.

FWIW, I think these are all reasonable resolutions. I also don't
object to the resolution of the Unicode URL issue. As for the nonce
issue, I withdraw my argument; however, the security considerations
for nonce should be improved to document its known weaknesses, as
describe in my previous emails on the topic. In general it seems like
the security considerations section was not updated from CSP 1.

Also, I just noticed that the text on CSP sandbox is unclear about
what to do when there are multiple CSP policies in effect with
different sandbox policies. It would be nice if that text clarified
that the resulting sandbox policy is the intersection of all the given
policies.

Anyway, feel free to close the "Respond to Brian" issue in the issue tracker.

Cheers,
Brian

Received on Wednesday, 11 February 2015 12:09:05 UTC