- From: Peter Hultqvist <phq@silentorbit.com>
- Date: Tue, 02 Oct 2012 18:35:32 +0200
- To: public-webappsec@w3.org
Is the goal of CSP to be site wide, per document or per request? Using a HTTP header would suggest being a per request policy but in practice I would guess these are more likely set one time in the server configuration thus apply to an entire website. A side question would be why one choses to use HTTP headers for delivery rather than something like a robots.txt or crossdomain.xml file. I understand that using the header approach gives one much more fine tuning abilities thus the cause for the rest of my questions. Considering a single page of one HTML document and several linked script files, some of them being located on third party servers. How are the Content-Security-Policy applied? Does the policy for any document/script take precedence such as the main HTML document? If so can policies be set on a single .js file if the main document does not have one? Can policies be changed with every page load(by sending a different CSP header)? Can "Not Modified" set a new policy for a locally cached document? I can think of a lot of more examples being unclear to me, but I guess a quick answer to any of the above would steer what follow up questions I might have.
Received on Wednesday, 3 October 2012 09:26:33 UTC