W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

ISSUE-7: Should the policy-uri directive be in CSP 1.0?

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 22 Feb 2012 15:57:43 -0800
Message-ID: <CAJE5ia82oSkSobV0e7vcy==XPK9CeCQZvYgLS_cagBrQ6uEqNQ@mail.gmail.com>
To: public-webappsec@w3.org
Cc: Daniel Veditz <dveditz@mozilla.com>
Rather than include a policy in the Content-Security-Policy header,
web sites can use the policy-uri directive to direct the browser to
retrieve the CSP policy from a URL:

http://www.w3.org/TR/CSP/#policy-uri

Content-Security-Policy: policy-uri /my-csp-policy.txt

Pro:

1) If sites have long, complicated policies, it might be more
efficient for them to transfer their policy to the user agent once
(where it will be cached) rather than include the entire policy in
each HTTP response.

2) It might be easier to maintain a single, centralized CSP policy
rather than updating CSP policies in headers associated with many
different resources.

Con:

1) Retrieving the CSP policy from another URL slows down the web page
because the browser needs to block execution of the page while it
fetches the CSP policy.

If we include the feature, we're going to spend a lot of time and
effort telling developers not to use it because it's going to slow
down their pages.  For example, YSlow has spent a great deal of effort
evangelizing their best practices for speeding up your web site:

http://developer.yahoo.com/performance/rules.html

The very first item on their list is "Minimize HTTP Requests", which
policy-uri violates.  They also recommend that sites "Put Scripts at
the Bottom" because "they block parallel downloads".  Unfortunately,
web sites cannot put policy-uri "at the bottom" of their page.  It
needs to be placed "at the top" where it will block the entire page.

Dan Veditz has said that many folks requested that Firefox include the
policy-uri directive.  However, I haven't seen much evidence of sites
actually using this feature.  For example,

http://www.shodanhq.com/?q=X-Content-Security-Policy

turns up around 366 web sites using X-Content-Security-Policy, only
one of which appears to be using policy-uri.

IMHO, we should remove policy-uri from CSP.

Adam
Received on Wednesday, 22 February 2012 23:58:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 22 February 2012 23:58:44 GMT