[resending, accidentally dropped the list]
On Wed, Jul 13, 2022 at 10:53 AM Eric Rescorla <[email protected]> wrote:
> How many features are there in Level 3?
>
A number, most already implemented. Remaining ones are:
- This feature, adding sub-directives script-src-elem and
script-src-attr. This is primarily to help legacy sites adding CSP because
blocking in-line javascript is all or nothing in CSP2. (lack is notably
causing web-compat issues)
- The 'unsafe-hashes' keyword, primarily for event handler attributes
above
- Similarly to the first, style-src-element and style-src-attr
- Support for hash-whitelisting external scripts with integrity
attributes (another web-compat sore point)
- the "navigate-to" directive, which we've implemented but haven't
enabled. Not sure why
- the "prefetch-src" directive
- the "report-to" integration with the Reporting API ("worth prototyping
<https://mozilla.github.io/standards-positions/#reporting>")
-Dan Veditz
On Wed, Jul 13, 2022 at 10:53 AM Eric Rescorla <[email protected]> wrote:
> How many features are there in Level 3?
>
> -Ekr
>
>
> On Wed, Jul 13, 2022 at 10:13 AM Daniel Veditz <[email protected]>
> wrote:
>
>> Do we need separate standard positions for each feature added to CSP in
>> level 3, or do we ask for a position on level 3 as a whole?
>> -Dan Veditz
>>
>> On Wed, Jul 13, 2022 at 9:14 AM Bobby Holley <[email protected]> wrote:
>>
>>> Hi Tom,
>>>
>>> We don't appear to have a standards-position entry for this, which would
>>> be a prerequisite for experimenting and shipping. Could you file an issue
>>> to get that process started? Thanks.
>>>
>>> On Wed, Jul 13, 2022 at 4:31 AM Tom Schuster <[email protected]>
>>> wrote:
>>>
>>>> CSP 3 adds two new directives that supersede the script-src directive.
>>>> These must be honored if present, with a fallback to script-src only
>>>> if they are not present.
>>>> The attributes allow finer control for allowing scripts only in script
>>>> blocks or script attributes (event handlers).
>>>>
>>>> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1529337
>>>> Standard: https://w3c.github.io/webappsec-csp/#csp-directives
>>>> Platform Coverage: all
>>>> Tests: Various web-platform-tests
>>>> Other Browsers:
>>>> - Chrome: Implemented in 79
>>>> - Safari: MDN claims this in Tech Preview
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "[email protected]" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CA%2BCWiYia0zafa_6-65o2%2BQruiuTeB26qNntS%2B0D_asoyo5vrCw%40mail.gmail.com
>>>> .
>>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "[email protected]" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADa3RMMXiVge5jcJ4mWyp0XATRPbdmpeBP2F6vQ-0O6Kir-Tyw%40mail.gmail.com
>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADa3RMMXiVge5jcJ4mWyp0XATRPbdmpeBP2F6vQ-0O6Kir-Tyw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "[email protected]" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADYDTCBPS7n7fnp2otkR1ks8EWYK4tX%2B64xtbsw4vjUj_nCUeg%40mail.gmail.com
>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADYDTCBPS7n7fnp2otkR1ks8EWYK4tX%2B64xtbsw4vjUj_nCUeg%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADYDTCDibZSW1e2gLMBQx4wjpSkiMczvNJ-FrMPDk-5BapagPw%40mail.gmail.com.
