- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 2 Feb 2012 12:50:03 -0800
- To: Eric Rescorla <ekr@rtfm.com>
- Cc: public-webappsec <public-webappsec@w3.org>
On Tue, Jan 17, 2012 at 1:23 PM, Eric Rescorla <ekr@rtfm.com> wrote: > I promised (Action 34) to go through the document and make > sure that the first policy found is clear. Not sure it is, > though. > > Questions: > 3.1.1 reads: > > Upon receiving an HTTP response containing at least one > Content-Security-Policy header field, the user agent must enforce > the policy contained in the first such header field. > > Don't we want to say MUST NOT enforce the policies contained in > subsequent header fields? The same question applies to 3.1.2. I've made this say "MUST ignore", which seems clearer. > 3.1.2. reads: > Upon receiving an HTTP response containing at least one > Content-Security-Policy-Report-Only header field, the user agent > must monitor the policy contained in the first such header field. > > What if I have both a CSP and CSPRO fields. Do I do one monitor and > one enforce? Yes. I've added a note to that effect. > 3.1.3. > Does this imply that I need to start enforcing as soon as I see > the meta element? I don't understand the processing model well > enough to know if this means that they must be processed in > order. Yes. Basically, the <meta> elements are processed in the order they're encountered by the HTML parser. (Machinery in the HTML5 specification makes this happen for us.) > S 4.1.2. reads: > > Fetch the request URI from origin of the protected document, with > the synchronous flag set, using HTTP method GET. > > I assume that the point of the synchronous flag is to force this fetch > to block everything else? Just want to make sure that that is actually > the impact. Correct. Setting the synchronous flag here stops the world and waits for a response from the server. Adam
Received on Thursday, 2 February 2012 20:51:10 UTC