Status of CSPEE spec? Implementor interest?

[sideshowbarker]

If the Blink implementation of CSPEE is still the only implementation, and if we don’t have any new indications of interest from the Gecko or WebKit projects in implementing it, do we still want to keep it as a WebAppSec WG deliverable? If so, do we want to mark it some way to give some indication of its status — in particular, an indication of its implementation status?

[RuslanZavacky]

Noticed recently, that this was removed from WebAppSec group and moved to WICG and published as a Note rather than working draft.

From the working perspective, how it is possible (if even) to help/contribute on that spec to move it forward or figure out what are the plans of other vendors and why they didn't implement it?

[annevk]

@RuslanZavacky pointer? That's not what I'm seeing. (This repository also didn't move to the WICG organization.)

[RuslanZavacky]

@annevk maybe I've read w3c/webappsec#595 (comment) this somehow incorrectly.

I agree that no one is working on the spec, but the mechanism does have usage in the wild, and has already been published by the group at https://www.w3.org/TR/csp-embedded-enforcement/. Still, given the state of the spec, I wouldn't object to shifting the published document to a NOTE, and moving the ED from the webappsec group to the WICG.

But this one w3c/webappsec#597 also says remove CSPEE.

It says that no one is working and it is removed from working to Note and moved to WICG.

[annevk]

It doesn't appear that any of that has happened in practice yet, but perhaps that's because nobody did the work. It's indeed the plan of action per https://www.w3.org/2022/06/webappsec-charter-2022.html#ig-other-deliverables.

As far as your original question goes your best bet is probably to contribute to this repository.