Re: Finalizing the shape of CSP ‘unsafe-dynamic’ from Mike West on 2016-06-20 (public-webappsec@w3.org from June 2016)

From: Mike West <mkwst@google.com>
Date: Mon, 20 Jun 2016 15:54:17 +0200
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Artur Janc <aaj@google.com>, Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, Daniel Bates <dabates@apple.com>, Devdatta Akhawe <dev@dropbox.com>
Message-ID: <CAKXHy=eqTc=ETWKn6y5Cn62OJFGgtu9DLTTytEx=ZUdzRiP0cw@mail.gmail.com>

On Wed, Jun 8, 2016 at 2:26 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> I agree with the trade-off that Artur outlined. My general inclination is
> that specifications/browsers should make more flexible, low-level
> primitives and then linters, stackoverflow, frameworks to warn about unsafe
> uses or provide safe high level abstractions. But, as Artur points out, it
> is not clear this has worked for CSP. So, now this is almost a meta
> question. I am ok with whatever Mike, as editor, prefers :)
>

'unsafe-dynamic' is dead, long live 'strict-dynamic':
https://github.com/w3c/webappsec-csp/commit/3476890664ada8efe2122301e6a4901cb12b520e

1. 'unsafe' is clearly wrong.
2. If we decide that we really, really need to split the keyword later,
this name doesn't prevent us from doing so.
3. 'strict' might theoretically hint at the notion that we're dropping the
whitelist, and strictifying the policy.
4. `random.org` picked this one above the several variants Artur, et al.
came up with.

-mike

Received on Monday, 20 June 2016 13:55:09 UTC