W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: new CSP draft.

From: Oda, Terri <terri.oda@intel.com>
Date: Mon, 11 Jan 2016 15:55:53 -0800
Message-ID: <CACoC0R8AU4tiisUzEoSkxp6Q+aHW87GhOCY-B8K+=vD6WVW_wQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On the subject of smaller nits...

In section 1.2, you say:

"Mitigate the risk of attacks which require a resource to be embedded in a
malicious context ("Pixel Perfect", etc) by giving developers granular
control over the origins which can embed a given resource."

I'm not sure what you meant by "Pixel Perfect" -- are you referring to the
Firefox plugin or something else?  I'm betting if it wasn't immediately
clear to me, it won't be clear to other readers either, and a quick web
search mostly yielded a bunch of hits for some Disney movie whose plot
doesn't seem to involve teaching teens about good web security policy. ;)

 Terri


On Fri, Dec 4, 2015 at 5:31 AM, Mike West <mkwst@google.com> wrote:

> Hello, webappsecians!
>
> At TPAC, we discussed stripping CSP3 down to be a clearer explanation of
> CSP2 in terms of Fetch, along with a set of hooks that enable modular
> documents to define the new stuff. I'm slowly working towards that goal.
>
> https://w3c.github.io/webappsec-csp/ is substantially rewritten, and I've
> started working with our friends in the WHATWG to add relevant hooks to
> their version of HTML and Fetch. There's still a little bit of outstanding
> work to be done, but it's far enough along that it would be helpful to get
> some more eyes on the document before I erroneously convince myself that
> it's finished.
>
> Once you finish reading Brad's new UI Security draft, I'd appreciate you
> taking a look at this one. :)
>
> -mike
>
Received on Monday, 11 January 2016 23:56:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC