26061 2014-06-11 14:46:25 +0000 Improve consistency with CSP 1.1 w.r.t. add-on/extension semantics. 2014-06-11 14:47:30 +0000 1 1 1 Unclassified WebAppsSec CSP unspecified All All NEW CR P2 normal --- 1 glenn w3c mike mkwst public-webappsec dave.null oldest_to_newest 107661 0 glenn 2014-06-11 14:46:25 +0000 CSP 1.1 specifies in Section 5: "Note: User agents may allow users to modify or bypass policy enforcement through user preferences, bookmarklets, third-party additions to the user agent, and other such mechanisms." In contrast, CSP 1.0 specifies in Section 3.3: "Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets." and in Section 4.2: "(The user agent should execute script contained in "bookmarklets" even when enforcing this restriction.)" In order to reduce confusion by authors and developers, the language in CSP 1.0 should be changed to match that in CSP 1.1: specifically, (1) replace the above language cited from 3.3 with the note cited above in CSP1.1, and (2) remove the parenthetical cited from 4.2. This change does not impact conformance since CSP 1.0 casts the language in terms of a recommendation (should) and not a mandatory (must) requirement. Consequently, this change may made without requiring a new LC or CR.