W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: Granularity of CSP

From: David Bruant <bruant.d@gmail.com>
Date: Wed, 3 Oct 2012 11:41:54 +0200
Message-ID: <CAHbscB39Wwtqmnv9CHo8=HNgu0j9ySo5r_EWQj3-xNF0RB7mpw@mail.gmail.com>
To: Peter Hultqvist <phq@silentorbit.com>
Cc: public-webappsec@w3.org
2012/10/2 Peter Hultqvist <phq@silentorbit.com>

> Is the goal of CSP to be site wide, per document or per request?
>
> Using a HTTP header would suggest being a per request policy

Indeed.


> but in practice I would guess these are more likely set one time in the
> server configuration thus apply to an entire website.
>
You can use always configure your Apache/Tomcat/node.js/RoR so that it
always send the header.

There are different things to address. The web platform need to provide
fine-grain control over the security web devs can apply. This is what CSP
is about. It provides fine-grained bricks to build a fine-tuned security
policy.
I however agree that in a lot of cases, you want a domain-wise. You can
build this with the current spec. You just need to build it yourself.
To be honest, with the open source culture of web development, one
person/company will build it and share it so you don't need to worry about
it. At worst, you'll want to review it, at best, you can trust it'll work
out of the box.

David
Received on Wednesday, 3 October 2012 09:42:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 3 October 2012 09:42:22 GMT