Hi! On Tue, Feb 25, 2014 at 7:39 AM, Mitar <mmitar@gmail.com> wrote: > > > With this in mind, I'm inclined to add a non-normative note to the spec > > along the lines of "Note that user agents are encouraged to allow > > third-party add-ons and JavaScript bookmarklets to bypass policy > > enforcement, either implicitly or based on the user's preference." > > Why reinventing the wheel? RFC 2119 here what SHOULD NOT in original note > mean: > I noted my justification further down in the email you're quoting: normative claims and vendor-specific behavior don't mix well. That's why I'd rephrase the original normative claim as a non-normative note, making the WG's consensus clear to implementers and authors, while not placing compatibility obligations on inherently incompatible features. In this sens this directly addresses Cox objections: if there valid > reasons (compromised extensions, user preference, liability reasons, > special UAs (kiosk mode)) UAs are allowed to interfere with the > operation, but UAs have to understand the consequences. > Cox, if I understand Glenn, correctly, objects strenuously to anything that implies a positive obligation to allow extensions, add-ons, bookmarklets, etc. to bypass CSP. "may" is fine, "should" is not, as far as that objection is concerned. I don't actually agree with Cox's position, as I hope is obvious, but I think the text I've suggested is a reasonable compromise. -mike
Received on Tuesday, 25 February 2014 10:36:03 UTC