W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: Granularity of CSP

From: Peter Hultqvist <phq@silentorbit.com>
Date: Wed, 10 Oct 2012 13:44:27 +0200
Message-ID: <50755F9B.2000302@silentorbit.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-webappsec@w3.org
On 10/03/2012 11:42 AM, Adam Barth wrote:
> I'd encourage you to read the spec and to play with some of the
> existing implementations.  That should help answer these sorts of
> questions.
>
> Adam
>
Thanks for your answers, with those I made a second attempt in reading
the specification and have some comments on the document itself.
Although for your answers to the "why" questions I did not expect them
from the document so great thanks for those.

Please correct me if I'm wrong, I have now drawn the conclusion that a
"resource representation" can be explained as a tab in a browser
including all content therein. The tab has a single policy that is
defined by the file retrieved by the URL in the address bar(being HTTP
headers or the meta tag).

So this would mean that in the future this policy could be applied to a
PDF document having embedded JavaScript(although I'm going outside of my
area in this statement).




Below follows some of my observations of the "resource representation"
that made it hard for me to read the specification.
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html

About whether the policy applies to the HTML file or separate JavaScript
files the "1. Introduction" ends with:

    Such policies apply to the current resource representation only. To
    supply a policy for an entire site, the server needs to supply a
    policy with each resource representation.

Not knowing what a "resource representation" is this can easily be
interpreted as a single resource such as a JavaScript file. I continued:

In section " 2.1 Key Concepts and Terminology" I read:

    "resource representation is defined in the HTTP 1.1 specification"

but opening that document there is no string "resource representation"
however there is a "representation" with in my impression a rather vague
definition referring to section 12 about content negotiation.
Received on Wednesday, 10 October 2012 11:44:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 10 October 2012 11:45:00 GMT