W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

webappsec-ISSUE-58 (Late binding of CSP): Late binding of CSP policies [CSP 1.1]

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 08 Apr 2014 16:50:27 +0000
Message-Id: <E1WXZEB-000112-Pa@shauna.w3.org>
To: public-webappsec@w3.org
webappsec-ISSUE-58 (Late binding of CSP): Late binding of CSP policies [CSP 1.1]

http://www.w3.org/2011/webappsec/track/issues/58

Raised by: Brad Hill
On product: CSP 1.1

Need to consider how to handle late-binding of CSP policies.

Right now we say that meta tags are ignored if a policy is present in header.

Sysapps Manifest spec allows specifying a supplemental CSP policy, but the manifest is lazily loaded.  Creates interesting issues with initial enforcement, and differences in behavior between first load and subsequent loads once CSP is cached.

http://manifest.sysapps.org/#csp-member

Similar issues seem to exist for ServiceWorkers and CSP.
Received on Tuesday, 8 April 2014 16:50:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 8 April 2014 16:50:29 UTC