W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

CfC: Transition CSP2 to CR.

From: Mike West <mkwst@google.com>
Date: Tue, 27 Jan 2015 16:42:01 +0100
Message-ID: <CAKXHy=etZKL0dn-yRCwYuZux7jzevVqqk8eb8O4hQB1LYXtXiA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
Hello, webappsecians! Since folks are meeting at AppSecCali tonight, it
seems like a good opportunity to give you things to talk about. :)

A few months after Last Call, I think we're closing in on something
resembling agreement on CSP2. We might or might not actually be there; I'm
hoping this email will ensure that folks whose concerns I haven't addressed
will let me know about it. CCing Brian in particular, as his _excellent_
feedback from November/December sparked many of the recent changes. Hi,

A complete list of relevant changes to the CSP2 spec since Last Call is up
at https://github.com/w3c/webappsec/commits/master/specs/CSP2/index.src.html

The potentially contentious issue I'm aware of is the overarching question
of whether CSP is a purely negative control, or whether directives like
`referrer` and `reflected-xss` (which can arguably weaken a document's
default security settings) fits into the processing model. Brian has made a
strong case for dropping them (see the last two paragraphs in
and I've marked both as "At Risk" in the CR draft. I wouldn't mind
deferring the specification of both to CSP3, though I very much want to
give folks like Twitter a mechanism to get redirectors like `t.co` fully
onto HTTPS (which `referrer` promises to do). Perhaps a compromise that
drops 'unsafe-url' but retains 'origin' would be a reasonable stopgap while
we hammer out Referrer Policy separately?

Are there other issues which I've missed, or insufficiently addressed?

Please read through
https://w3c.github.io/webappsec/specs/CSP2/published/2015-01-CR.html, and
send any comments on this or other topics to public-webappsec@w3.org.
Positive feedback is encouraged!

This CfC will end with our next scheduled call, about two weeks from
yesterday, on February 9th, 2015. I think that should be enough time to
work things out. I hope. :)


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 27 January 2015 15:42:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:45 UTC