W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2012

First policy policy (Action 34)

From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 17 Jan 2012 13:23:44 -0800
Message-ID: <CABcZeBNO+ryLNzfucvgEdXWSmhrNhs+zQfBBpRuS92RhwuoNiw@mail.gmail.com>
To: public-webappsec <public-webappsec@w3.org>
I promised (Action 34) to go through the document and make
sure that the first policy found is clear. Not sure it is,
though.

Questions:
3.1.1 reads:

  Upon receiving an HTTP response containing at least one
  Content-Security-Policy header field, the user agent must enforce
  the policy contained in the first such header field.

Don't we want to say MUST NOT enforce the policies contained in
subsequent header fields? The same question applies to 3.1.2.


3.1.2. reads:
  Upon receiving an HTTP response containing at least one
  Content-Security-Policy-Report-Only header field, the user agent
  must monitor the policy contained in the first such header field.

What if I have both a CSP and CSPRO fields. Do I do one monitor and
one enforce?

3.1.3.
Does this imply that I need to start enforcing as soon as I see
the meta element? I don't understand the processing model well
enough to know if this means that they must be processed in
order.

S 4.1.2. reads:

  Fetch the request URI from origin of the protected document, with
  the synchronous flag set, using HTTP method GET.

I assume that the point of the synchronous flag is to force this fetch
to block everything else? Just want to make sure that that is actually
the impact.

-Ekr
Received on Tuesday, 17 January 2012 21:25:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 17 January 2012 21:25:12 GMT