W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2021

Creating a note track for Strict CSP

From: Jun Kokatsu <Jun.Kokatsu@microsoft.com>
Date: Fri, 22 Oct 2021 19:53:04 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <MN2PR00MB0702E7DE9901733C882E49A7E2809@MN2PR00MB0702.namprd00.prod.outlook.com>
Hi All,

While advocating internally within Microsoft about Strict CSP<https://web.dev/strict-csp/>, I've got the following words 🙂

We talked to a security person within our org to try to better understand what are the implications of adding “Strict CSP” to XYZ. However, quoting our sec expert it seems like “"Strict CSP" is an informal term used by people from industry, I don't recall seeing it in the standard”.

While I was little frustrated, I do think this person also has a point that Strict CSP has mostly been talked by Google (though probably it's deployed to some other sites<https://mitigation.supply/> too).

I wonder if we can create a note track about Strict CSP (just like Post-Spectre Web Development<https://www.w3.org/TR/post-spectre-webdev/>), assuming people agree that Strict CSP is something that can be recommended by WebAppSec WG.

Please let me know what you all think 🙂

Thanks,

Jun
Received on Friday, 22 October 2021 19:53:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 22 October 2021 19:53:28 UTC