From 1f718b02a511a5dfbb6aa9d801f7963de3e876a3 Mon Sep 17 00:00:00 2001 From: Mike West Date: Fri, 12 Apr 2024 11:00:05 +0200 Subject: [PATCH] Add notes about non-normativity. Several "authoring considerations" sections should have been marked as non-normative. This PR does so. --- index.bs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/index.bs b/index.bs index 336d453086..413639de12 100644 --- a/index.bs +++ b/index.bs @@ -4751,6 +4751,8 @@ this algorithm returns normally if compilation is allowed, and throws a Usage of "`'strict-dynamic'`" + This section is not normative. + Host- and path-based policies are tough to get right, especially on sprawling origins like CDNs. The solutions to Cure53's H5SC Minichallenge 3: "Sh*t, it's CSP!" [[H5SC3]] are good examples of the @@ -4879,6 +4881,8 @@ this algorithm returns normally if compilation is allowed, and throws a Allowing external JavaScript via hashes + This section is not normative. + In [[CSP2]], hash source expressions could only match inlined script, but now that Subresource Integrity [[SRI]] is widely deployed, we can expand the scope to enable externalized JavaScript as well. @@ -4943,6 +4947,8 @@ this algorithm returns normally if compilation is allowed, and throws a Strict CSP + This section is not normative. + Deployment of an effective CSP against XSS is a challenge (as described in CSP Is Dead, Long Live CSP! [[LONG-LIVE-CSP]]). However, enforcing the following set of CSP @@ -4983,6 +4989,8 @@ this algorithm returns normally if compilation is allowed, and throws a Exfiltration + This section is not normative. + Data exfiltration can occur when the contents of the request, such as the URL, contain information about the user or page that should be restricted and not shared.