W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Granularity of CSP

From: Peter Hultqvist <phq@silentorbit.com>
Date: Tue, 02 Oct 2012 18:35:32 +0200
Message-ID: <506B17D4.5020606@silentorbit.com>
To: public-webappsec@w3.org
Is the goal of CSP to be site wide, per document or per request?

Using a HTTP header would suggest being a per request policy but in 
practice I would guess these are more likely set one time in the server 
configuration thus apply to an entire website.

A side question would be why one choses to use HTTP headers for delivery 
rather than something like a robots.txt or crossdomain.xml file. I 
understand that using the header approach gives one much more fine 
tuning abilities thus the cause for the rest of my questions.

Considering a single page of one HTML document and several linked script 
files, some of them being located on third party servers.

How are the Content-Security-Policy applied?
Does the policy for any document/script take precedence such as the main 
HTML document?
If so can policies be set on a single .js file if the main document does 
not have one?

Can policies be changed with every page load(by sending a different CSP 
header)?
Can "Not Modified" set a new policy for a locally cached document?

I can think of a lot of more examples being unclear to me, but I guess a 
quick answer to any of the above would steer what follow up questions I 
might have.
Received on Wednesday, 3 October 2012 09:26:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 3 October 2012 09:26:33 GMT