26061 – Improve consistency with CSP 1.1 w.r.t. add-on/extension semantics.

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 26061 - Improve consistency with CSP 1.1 w.r.t. add-on/extension semantics.

Summary: Improve consistency with CSP 1.1 w.r.t. add-on/extension semantics.

Status:	NEW

Alias:	None

Product:	WebAppsSec
Classification:	Unclassified
Component:	CSP (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P2 normal
Target Milestone:	---
Assignee:	Adam Barth
QA Contact:	This bug has no owner yet - up for the taking

URL:
Whiteboard:
Keywords:	CR

Depends on:
Blocks:

Reported:	2014-06-11 14:46 UTC by Glenn Adams
Modified:	2014-06-11 14:47 UTC (History)
CC List:	3 users (show)

See Also:

Attachments

Description Glenn Adams 2014-06-11 14:46:25 UTC

CSP 1.1 specifies in Section 5:

"Note: User agents may allow users to modify or bypass policy enforcement through user preferences, bookmarklets, third-party additions to the user agent, and other such mechanisms."

In contrast, CSP 1.0 specifies in Section 3.3:

"Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets."

and in Section 4.2:

"(The user agent should execute script contained in "bookmarklets" even when enforcing this restriction.)"

In order to reduce confusion by authors and developers, the language in CSP 1.0 should be changed to match that in CSP 1.1: specifically, (1) replace the above language cited from 3.3 with the note cited above in CSP1.1, and (2) remove the parenthetical cited from 4.2.

This change does not impact conformance since CSP 1.0 casts the language in terms of a recommendation (should) and not a mandatory (must) requirement. Consequently, this change may made without requiring a new LC or CR.