- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Mon, 28 Mar 2011 13:24:31 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-web-security@w3.org
On 03/27/2011 05:04 PM, Adam Barth wrote: > On Sun, Mar 27, 2011 at 4:48 PM, Adam Barth <w3c@adambarth.com> wrote: >> Does "user-agents MUST NOT request script resources from non-approved >> sources" mean that I'm supposed to enforce these restrictions on each >> hop of the redirect chain or just for the first request? We should >> spell out the requirements explicitly because that's a likely area for >> implementation confusion (as evidenced by lots of historical screw-ups >> in the area of redirects). > > I found this text at the bottom of the spec: > > [[ > For any protected document, when a request for a sub-document resource > is redirected to another location, whether temporary or permanent, all > locations in the resource's redirect chain, including the initial > location and all subsequent redirected locations, must be permitted by > the protected document's security policy in order for the sub-document > resource to be allowed to load. If any step in the redirect process > violates the protected document's security policy, the request should > be terminated immediately and the load canceled. > ]] > > It would be helpful if there was some connection between the > requirements for the directives and this text. For example, you could > define earlier in the spec what it means to restrict a resource load > (and have some text like the above explaining what that means for > redirects) and then when describing the directives, you can refer to > the defined term. > > Adam I agree and I've also created a TODO item in my issue tracker to more directly tie in the redirect-handling language with resource loading. Cheers, Brandon
Received on Monday, 28 March 2011 20:22:26 UTC