W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Re: First policy policy (Action 34)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 2 Feb 2012 12:50:03 -0800
Message-ID: <CAJE5ia_3+yBvb-pSX56tSr64pObVRMhBU18GedRFMC2iKNto5w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: public-webappsec <public-webappsec@w3.org>
On Tue, Jan 17, 2012 at 1:23 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> I promised (Action 34) to go through the document and make
> sure that the first policy found is clear. Not sure it is,
> though.
>
> Questions:
> 3.1.1 reads:
>
>  Upon receiving an HTTP response containing at least one
>  Content-Security-Policy header field, the user agent must enforce
>  the policy contained in the first such header field.
>
> Don't we want to say MUST NOT enforce the policies contained in
> subsequent header fields? The same question applies to 3.1.2.

I've made this say "MUST ignore", which seems clearer.

> 3.1.2. reads:
>  Upon receiving an HTTP response containing at least one
>  Content-Security-Policy-Report-Only header field, the user agent
>  must monitor the policy contained in the first such header field.
>
> What if I have both a CSP and CSPRO fields. Do I do one monitor and
> one enforce?

Yes.  I've added a note to that effect.

> 3.1.3.
> Does this imply that I need to start enforcing as soon as I see
> the meta element? I don't understand the processing model well
> enough to know if this means that they must be processed in
> order.

Yes.  Basically, the <meta> elements are processed in the order
they're encountered by the HTML parser.  (Machinery in the HTML5
specification makes this happen for us.)

> S 4.1.2. reads:
>
>  Fetch the request URI from origin of the protected document, with
>  the synchronous flag set, using HTTP method GET.
>
> I assume that the point of the synchronous flag is to force this fetch
> to block everything else? Just want to make sure that that is actually
> the impact.

Correct.  Setting the synchronous flag here stops the world and waits
for a response from the server.

Adam
Received on Thursday, 2 February 2012 20:51:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 2 February 2012 20:51:10 GMT