W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

[webappsec] Refining CSP header definitions and advice to intermediaries

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 26 Mar 2012 21:57:24 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E0697DB@DEN-EXDDA-S12.corp.ebay.com>
Action 35 on CSP is open and needs a new owner:

https://www.w3.org/2011/webappsec/track/actions/35

This is related to providing "advice to server operators on combining policies", given that only the first one found will be enforced.

Topically, today at IETF 83, the websec and http WG chairs discussed where to finalize the specification of the CSP HTTP header definition.  The agreement was that it was fine to do it in this group, (or have the IETF simply copy our text to an ID) but that a few necessary items were still missing - such as indicating whether it is an end-to-end header and clarifying intermediary behavior.

Would anyone like to volunteer to write this section?  It would be advice to, e.g. network-edge devices such as WAFs that might add a CSP on how to do so, and how to act if a CSP header or META tag is already present.

Thanks,

Brad
Received on Monday, 26 March 2012 21:57:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 26 March 2012 21:57:58 GMT