W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: Granularity of CSP

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 10 Oct 2012 17:22:24 -0700
Message-ID: <CAJE5ia8-xiQCqkWpF=6zrB_RR4_75+67uizjubNCpQKh+EQwBg@mail.gmail.com>
To: Peter Hultqvist <phq@silentorbit.com>
Cc: public-webappsec@w3.org
On Wed, Oct 10, 2012 at 4:44 AM, Peter Hultqvist <phq@silentorbit.com> wrote:
> On 10/03/2012 11:42 AM, Adam Barth wrote:
>> I'd encourage you to read the spec and to play with some of the
>> existing implementations.  That should help answer these sorts of
>> questions.
>
> Thanks for your answers, with those I made a second attempt in reading the
> specification and have some comments on the document itself. Although for
> your answers to the "why" questions I did not expect them from the document
> so great thanks for those.
>
> Please correct me if I'm wrong, I have now drawn the conclusion that a
> "resource representation" can be explained as a tab in a browser including
> all content therein.

That's not correct.  See, for example,

http://en.wikipedia.org/wiki/Representational_state_transfer
http://apsblog.burtongroup.com/2009/03/rest-principle-separation-of-representation-and-resource.html
http://www.hackcraft.net/rep/rep.html

> The tab has a single policy that is defined by the file
> retrieved by the URL in the address bar(being HTTP headers or the meta tag).
>
> So this would mean that in the future this policy could be applied to a PDF
> document having embedded JavaScript(although I'm going outside of my area in
> this statement).

That's true, but unrelated to your previous statements.

> Below follows some of my observations of the "resource representation" that
> made it hard for me to read the specification.
> https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
>
> About whether the policy applies to the HTML file or separate JavaScript
> files the "1. Introduction" ends with:
>
> Such policies apply to the current resource representation only. To supply a
> policy for an entire site, the server needs to supply a policy with each
> resource representation.
>
> Not knowing what a "resource representation" is this can easily be
> interpreted as a single resource such as a JavaScript file.

If you don't know what a resource representation is, you're going to
have trouble understanding the specification.  What's why we refer to
other specifications that define these basic terms.

Adam
Received on Thursday, 11 October 2012 00:23:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 11 October 2012 00:23:25 GMT