Primary eng (and PM) emails
mk...@chromium.orgSpec
Summary
Blink has solid support for CSP 1.0 through the unprefixed 'Content-Security-Policy*' headers. I'd like to formally deprecate the prefixed 'X-WebKit-CSP*' headers.
Motivation
We're starting to see some large-scale implementations of CSP that are serving the prefixed header (Facebook and GitHub, for instance). In order to ensure that this prefixed header doesn't inadvertently become a de facto standard, we should deprecate the prefixed headers quickly.
Compatibility Risk
None. Quite the opposite, as the prefixed header potentially impedes compatibility in the long run>
OWP launch tracking bug?
Row on feature dashboard?
Yup.
Requesting simultaneous permission to unship?
Primary eng (and PM) emails
mk...@chromium.orgSpec
Summary
Blink has solid support for CSP 1.0 through the unprefixed 'Content-Security-Policy*' headers. I'd like to formally deprecate the prefixed 'X-WebKit-CSP*' headers.
Motivation
We're starting to see some large-scale implementations of CSP that are serving the prefixed header (Facebook and GitHub, for instance). In order to ensure that this prefixed header doesn't inadvertently become a de facto standard, we should deprecate the prefixed headers quickly.
Compatibility Risk
None. Quite the opposite, as the prefixed header potentially impedes compatibility in the long run>
On Mon, Apr 15, 2013 at 10:53 PM, Mike West <mk...@chromium.org> wrote:
Compatibility Risk
None. Quite the opposite, as the prefixed header potentially impedes compatibility in the long run>
I agree about the long-term, but there still could be short-term compatibility risk in deprecating.How long have we shipped the prefixed version?
Who else ships the unprefixed version?
Do we have a sense of how many sites use the prefixed version and not the unprefixed version?
What will happen on sites that send the prefixed but not the unprefixed version if we deprecate?
Hi Alex!On Tue, Apr 16, 2013 at 5:10 PM, Alex Komoroske <komo...@chromium.org> wrote:
On Mon, Apr 15, 2013 at 10:53 PM, Mike West <mk...@chromium.org> wrote:
Compatibility Risk
None. Quite the opposite, as the prefixed header potentially impedes compatibility in the long run>
I agree about the long-term, but there still could be short-term compatibility risk in deprecating.How long have we shipped the prefixed version?Since Chrome 14 or so, in various stages of completeness.Who else ships the unprefixed version?Everyone else who uses WebKit/Blink. Safari 6, for example.Safari 5.x and Android's "Browser" ship the prefixed header as well, but they're unfortunately buggy enough to be fairly unusable.Firefox ships a differently prefixed version (`X-Content-Security-Policy`), and should be rolling out the cannonical header soon(ish).
On Wednesday, April 17, 2013 12:20:08 AM UTC+9, Mike West wrote:
Hi Alex!On Tue, Apr 16, 2013 at 5:10 PM, Alex Komoroske <komo...@chromium.org> wrote:
On Mon, Apr 15, 2013 at 10:53 PM, Mike West <mk...@chromium.org> wrote:
Compatibility Risk
None. Quite the opposite, as the prefixed header potentially impedes compatibility in the long run>
I agree about the long-term, but there still could be short-term compatibility risk in deprecating.How long have we shipped the prefixed version?Since Chrome 14 or so, in various stages of completeness.Who else ships the unprefixed version?Everyone else who uses WebKit/Blink. Safari 6, for example.Safari 5.x and Android's "Browser" ship the prefixed header as well, but they're unfortunately buggy enough to be fairly unusable.Firefox ships a differently prefixed version (`X-Content-Security-Policy`), and should be rolling out the cannonical header soon(ish).Fx21 (coming in May) will have the canonical header.(They still have a few bugs for full support of CSP 1.0 http://bugzil.la/837682 )
I think IE10 has partial support for CSP under the X-Content-Security-Policy header.
Hi Masataka-san!On Tue, Apr 16, 2013 at 5:39 PM, Masataka Yakura <myaku...@gmail.com> wrote:
On Wednesday, April 17, 2013 12:20:08 AM UTC+9, Mike West wrote:
Hi Alex!On Tue, Apr 16, 2013 at 5:10 PM, Alex Komoroske <komo...@chromium.org> wrote:
On Mon, Apr 15, 2013 at 10:53 PM, Mike West <mk...@chromium.org> wrote:
Compatibility Risk
None. Quite the opposite, as the prefixed header potentially impedes compatibility in the long run>
I agree about the long-term, but there still could be short-term compatibility risk in deprecating.How long have we shipped the prefixed version?Since Chrome 14 or so, in various stages of completeness.Who else ships the unprefixed version?Everyone else who uses WebKit/Blink. Safari 6, for example.Safari 5.x and Android's "Browser" ship the prefixed header as well, but they're unfortunately buggy enough to be fairly unusable.Firefox ships a differently prefixed version (`X-Content-Security-Policy`), and should be rolling out the cannonical header soon(ish).Fx21 (coming in May) will have the canonical header.(They still have a few bugs for full support of CSP 1.0 http://bugzil.la/837682 )+Ian Melvin, who's working on this in Mozilla.According to https://bugzilla.mozilla.org/show_bug.cgi?id=783049#c51 it'll be behind a flag in Firefox 21. I'm not entirely sure which of those is more current. (Hi Ian!)
Doesn't dropping support open sites using it to security risks.
I have no problem with warnings but I would expect at least a year before dropping support. Not everyone operates on Chromes release model.
Oh please. If there were such rules of the road you would start with deprecation warnings and dates. Or always have them behind flags. But the truth is you need folks to use them but you are willing to throw them under the bus for some Web standard ideal and an artificial deadline. I know I won't win an argument with someone with this mindset as we have differing views on what is owed to Web content developers.
I do recommend that you start warning on all vendor prefixes with removal dates (a year off) even if you extend them to allow standards bodies the decades (it seems) to agree on the obviously needed features that force people to use them. Then I couldn't argue that folks don't know what they are getting into.
Oh please. If there were such rules of the road you would start with deprecation warnings and dates. Or always have them behind flags.
But the truth is you need folks to use them but you are willing to throw them under the bus for some Web standard ideal and an artificial deadline.
I know I won't win an argument with someone with this mindset as we have differing views on what is owed to Web content developers.
I do recommend that you start warning on all vendor prefixes with removal dates (a year off) even if you extend them to allow standards bodies the decades (it seems) to agree on the obviously needed features that force people to use them. Then I couldn't argue that folks don't know what they are getting into.
You missed the point of the deprecated message with the deadline. The point is not about actually meeting any particular date. It is about communication and setting expectations. By starting with a removal date, you state it will be removed and isn't a extension that may never be standardized and you plan to support forever (which from where I sit has been the effective policy in the past). My choice of a year was chosen because I've never see a standard body act fast but is near enough to not be see as a far off future, otherwise it has no meaning. If you can standardized in 2 weeks, and expect to remove it in 3 by all means use a date 3 weeks out. "removal is expected near ...".
I understand the problem with removing legacy prefixes, so my recommendation is don't. The cost of maintaining an alias in low and there was no expectation that they would be removed. That is water under the bridge. Make sure moving forward that this doesn't repeat by communicating clearly in the browser itself from the start.
You missed the point of the deprecated message with the deadline. The point is not about actually meeting any particular date. It is about communication and setting expectations. By starting with a removal date, you state it will be removed and isn't a extension that may never be standardized and you plan to support forever (which from where I sit has been the effective policy in the past). My choice of a year was chosen because I've never see a standard body act fast but is near enough to not be see as a far off future, otherwise it has no meaning. If you can standardized in 2 weeks, and expect to remove it in 3 by all means use a date 3 weeks out. "removal is expected near ...".
I understand the problem with removing legacy prefixes, so my recommendation is don't. The cost of maintaining an alias in low and there was no expectation that they would be removed. That is water under the bridge. Make sure moving forward that this doesn't repeat by communicating clearly in the browser itself from the start.
Post facto warnings don't help (I didn't mean deprecation warnings previously but simply a removal warning). They need to be there from the start. I am aware of the arguments against vendor prefixes and agree that vendor prefixes fragment the web but I disagree that removing the prefixes and breaking compatibility is the right thing to do unless you have clearly state this intent when the content was developed.
CSP is an example of this but this isn't specifically about CSP. It is about policy.
The sad fact is that vendor prefixes mean "extension" not "temporary trial" and until there is only one browser vendor (which no one wants) there will always be vendor specific extensions and folks take advantage of these when they can. If you don't them to you need to tell them.