W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: Granularity of CSP

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 10 Oct 2012 17:22:24 -0700
Message-ID: <CAJE5ia8-xiQCqkWpF=6zrB_RR4_75+67uizjubNCpQKh+EQwBg@mail.gmail.com>
To: Peter Hultqvist <phq@silentorbit.com>
Cc: public-webappsec@w3.org
On Wed, Oct 10, 2012 at 4:44 AM, Peter Hultqvist <phq@silentorbit.com> wrote:
> On 10/03/2012 11:42 AM, Adam Barth wrote:
>> I'd encourage you to read the spec and to play with some of the
>> existing implementations.  That should help answer these sorts of
>> questions.
> Thanks for your answers, with those I made a second attempt in reading the
> specification and have some comments on the document itself. Although for
> your answers to the "why" questions I did not expect them from the document
> so great thanks for those.
> Please correct me if I'm wrong, I have now drawn the conclusion that a
> "resource representation" can be explained as a tab in a browser including
> all content therein.

That's not correct.  See, for example,


> The tab has a single policy that is defined by the file
> retrieved by the URL in the address bar(being HTTP headers or the meta tag).
> So this would mean that in the future this policy could be applied to a PDF
> document having embedded JavaScript(although I'm going outside of my area in
> this statement).

That's true, but unrelated to your previous statements.

> Below follows some of my observations of the "resource representation" that
> made it hard for me to read the specification.
> https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
> About whether the policy applies to the HTML file or separate JavaScript
> files the "1. Introduction" ends with:
> Such policies apply to the current resource representation only. To supply a
> policy for an entire site, the server needs to supply a policy with each
> resource representation.
> Not knowing what a "resource representation" is this can easily be
> interpreted as a single resource such as a JavaScript file.

If you don't know what a resource representation is, you're going to
have trouble understanding the specification.  What's why we refer to
other specifications that define these basic terms.

Received on Thursday, 11 October 2012 00:23:24 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 13:26:30 UTC