- From: Wendy Seltzer <wseltzer@w3.org>
- Date: Wed, 01 Jul 2015 11:58:41 -0400
- To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- CC: Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
On 07/01/2015 10:12 AM, Mike West wrote: > Neither Chrome nor Firefox have implemented the `unsafe-redirect` bits of > CSP2 (see 1.2 of http://www.w3.org/TR/CSP2/#changes-from-level-1). > Experimentation locally on internal sites leads me to believe that it's not > going to be web compatible: I didn't find any Google property that used CSP > which the new behavior wouldn't break in some way. > > Moreover, statistics from Chrome show that about 0.7% of page views would > be affected (trending upwards), which is significantly above the bar that > Blink has for breaking changes: > https://www.chromestatus.com/metrics/feature/timeline/popularity/709 > > We didn't declare it as "at risk" in the CSP2 CR, though we probably should > have. I think this means that removing the source expression and associated > behavior is likely a "substantive change"[1], which I think means that we > need to revise and republish the CR. Wendy, can you confirm that? I'll double-check with colleagues, but I think you're reading correctly that this is a substantive change that warrants another short trip through CR (or 4 weeks, as short as process allows). > > (Note to self: next time, mark the whole spec as "at risk" to make > deletions take less than a month and a half. :) ) Somehow, I don't think that would pass muster with the Director, no matter how clever :) --Wendy > > [1]: http://www.w3.org/2014/Process-20140801/#substantive-change > [2]: http://www.w3.org/2014/Process-20140801/#revised-cr > > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, > Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der > Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth > Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) > -- Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) http://wendy.seltzer.org/ +1.617.863.0613 (mobile)
Received on Wednesday, 1 July 2015 15:58:46 UTC