W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 11 Feb 2011 10:41:32 -0800
Message-ID: <4D5582DC.7030603@mozilla.com>
To: Terri Oda <terri@zone12.com>
CC: public-web-security@w3.org
On 2/4/11 1:03 PM, Terri Oda wrote:
> I vaguely recall that there was a reason a separate policy file was
> rejected as an idea in previous CSP discussion.

A separate policy file has drawbacks: it's an extra connection and
will block page rendering while it's being loaded. The current
Mozilla implementation is a synchronous request like an (old-style)
<script src=>, but even if we later optimize with async loading
we're going to have to block at the first construct that might be
covered by a policy.

A separate policy file has advantages: it makes the header compact,
and if the same policy is appropriate for the whole site (or large
sections) then caching helps with the latency problem.

As Lucas said we won't know until sites try to deploy, but we
imagine in-line policies will be appropriate for simple sites and
maybe for sites with per-resource policies generated on the fly, and
sites with large complex policies will use policy-uri.

On our own sites, for example, http://blog.mozilla.com/security/
uses an in-line policy and https://addons.mozilla.org/ uses an
external policy-uri. We're experimenting to see what works (thus the
X- header, which we fully expect an official spec to do away with).

-Dan Veditz
Received on Friday, 11 February 2011 18:42:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 11 February 2011 18:42:45 GMT