W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

Re: Finalizing the shape of CSP ‘unsafe-dynamic’

From: Mike West <mkwst@google.com>
Date: Mon, 20 Jun 2016 15:54:17 +0200
Message-ID: <CAKXHy=eqTc=ETWKn6y5Cn62OJFGgtu9DLTTytEx=ZUdzRiP0cw@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Artur Janc <aaj@google.com>, Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, Daniel Bates <dabates@apple.com>, Devdatta Akhawe <dev@dropbox.com>
On Wed, Jun 8, 2016 at 2:26 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> I agree with the trade-off that Artur outlined. My general inclination is
> that specifications/browsers should make more flexible, low-level
> primitives and then linters, stackoverflow, frameworks to warn about unsafe
> uses or provide safe high level abstractions. But, as Artur points out, it
> is not clear this has worked for CSP. So, now this is almost a meta
> question. I am ok with whatever Mike, as editor, prefers :)
>

'unsafe-dynamic' is dead, long live 'strict-dynamic':
https://github.com/w3c/webappsec-csp/commit/3476890664ada8efe2122301e6a4901cb12b520e

1. 'unsafe' is clearly wrong.
2. If we decide that we really, really need to split the keyword later,
this name doesn't prevent us from doing so.
3. 'strict' might theoretically hint at the notion that we're dropping the
whitelist, and strictifying the policy.
4. `random.org` picked this one above the several variants Artur, et al.
came up with.

-mike
Received on Monday, 20 June 2016 13:55:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC