From d091bce6fc43f33dcd4ad08cf7bc34069142abfa Mon Sep 17 00:00:00 2001 From: Mike West Date: Fri, 12 Apr 2024 11:03:25 +0200 Subject: [PATCH] Add notes about non-normativity. (#655) Several "authoring considerations" sections should have been marked non-normative, as noted in w3c/webappsec-csp#653. This PR addresses that oversight. --- index.bs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/index.bs b/index.bs index 7c0add8c7d..270b67219c 100644 --- a/index.bs +++ b/index.bs @@ -4768,6 +4768,8 @@ this algorithm returns normally if compilation is allowed, and throws a Usage of "`'strict-dynamic'`" + This section is not normative. + Host- and path-based policies are tough to get right, especially on sprawling origins like CDNs. The solutions to Cure53's H5SC Minichallenge 3: "Sh*t, it's CSP!" [[H5SC3]] are good examples of the @@ -4896,6 +4898,8 @@ this algorithm returns normally if compilation is allowed, and throws a Allowing external JavaScript via hashes + This section is not normative. + In [[CSP2]], hash source expressions could only match inlined script, but now that Subresource Integrity [[SRI]] is widely deployed, we can expand the scope to enable externalized JavaScript as well. @@ -4960,6 +4964,8 @@ this algorithm returns normally if compilation is allowed, and throws a Strict CSP + This section is not normative. + Deployment of an effective CSP against XSS is a challenge (as described in CSP Is Dead, Long Live CSP! [[LONG-LIVE-CSP]]). However, enforcing the following set of CSP @@ -5000,6 +5006,8 @@ this algorithm returns normally if compilation is allowed, and throws a Exfiltration + This section is not normative. + Data exfiltration can occur when the contents of the request, such as the URL, contain information about the user or page that should be restricted and not shared.