W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: policy-uri is slow

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 15 Apr 2011 15:39:07 -0700
Message-ID: <4DA8C90B.7050409@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
On 4/14/11 5:47 PM, Adam Barth wrote:
> To confirm my understanding, if a document has a CSP policy consisting
> of a policy-uri, then the user agent is supposed to block processing
> of the document until it finishes fetching the policy-uri, right?
> That seems very bad for performance.

Yes. That's why we originally didn't include a policy-uri option.
There were persistent requests that for some use-cases
(complex/large site-wide policies) a cached policy more than made up
for the initial latency in saved bandwidth on subsequent requests.

I prefer in-line policies, but it doesn't hurt to support both and
let sites decide which fits their needs better.

-Dan Veditz
Received on Friday, 15 April 2011 22:39:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 15 April 2011 22:39:43 GMT