- From: Brad Hill <hillbrad@gmail.com>
- Date: Tue, 12 Jul 2016 21:33:27 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>, David Ross <drx@google.com>
- Message-ID: <CAEeYn8ho7i7pNBR0VLLs+sjpiWkVxfe6mpwKTRebuhiPwN+YzQ@mail.gmail.com>
This is a call for consensus to transition three Working Drafts of the Web Application Security WG to "Working Group Note" status and indicate that they are no longer under active development towards the Recommendation Track, as discussed at the May F2F and briefly on the list. The following specifications are proposed for transition: --------------------------------------------------- Entry Point Regulation https://www.w3.org/TR/epr/ Last updated ~1 year ago. Reason to transition to Note: Same-site cookies ( https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00) provide much of the intended attack surface reduction more simply --------------------------------------------------- --------------------------------------------------- CSP Cookie Controls https://www.w3.org/TR/csp-cookies/ Last updated ~6 months ago. Reason to transition to Note: The Feature Policy proposal ( https://wicg.github.io/feature-policy/) could be a better home for the intended functionality as part of a broader and more coherent approach, rather than putting this into CSP. --------------------------------------------------- --------------------------------------------------- CSP Pinning https://www.w3.org/TR/csp-pinning/ Last updated ~6 months ago. Reason to transition to Note: While this kind of feature is still considered useful, like Cookie Controls and Feature Policy, the editor feels it would be better managed as part of a more generalized strategy for header pinning, and as part of that, with a strategy perhaps along the lines of a manifest, well-known resource or service worker that doesn't incur the cost of sending the pinning header with every request. --------------------------------------------------- This CfC will be discussed on tomorrow's regularly scheduled working group teleconference (agenda to follow shortly on this list) and will close on Friday, 22-July-2016. Positive responses encouraged, silence is consent. Thank you, Brad Hill
Received on Tuesday, 12 July 2016 21:34:08 UTC