Creating a note track for Strict CSP from Jun Kokatsu on 2021-10-22 (public-webappsec@w3.org from October 2021)

From: Jun Kokatsu <Jun.Kokatsu@microsoft.com>
Date: Fri, 22 Oct 2021 19:53:04 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <MN2PR00MB0702E7DE9901733C882E49A7E2809@MN2PR00MB0702.namprd00.prod.outlook.com>

Hi All,

While advocating internally within Microsoft about Strict CSP<https://web.dev/strict-csp/>, I've got the following words 🙂

We talked to a security person within our org to try to better understand what are the implications of adding “Strict CSP” to XYZ. However, quoting our sec expert it seems like “"Strict CSP" is an informal term used by people from industry, I don't recall seeing it in the standard”.

While I was little frustrated, I do think this person also has a point that Strict CSP has mostly been talked by Google (though probably it's deployed to some other sites<https://mitigation.supply/> too).

I wonder if we can create a note track about Strict CSP (just like Post-Spectre Web Development<https://www.w3.org/TR/post-spectre-webdev/>), assuming people agree that Strict CSP is something that can be recommended by WebAppSec WG.

Please let me know what you all think 🙂

Thanks,

Jun

Received on Friday, 22 October 2021 19:53:25 UTC