- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 15 Apr 2011 15:39:07 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-web-security@w3.org
On 4/14/11 5:47 PM, Adam Barth wrote: > To confirm my understanding, if a document has a CSP policy consisting > of a policy-uri, then the user agent is supposed to block processing > of the document until it finishes fetching the policy-uri, right? > That seems very bad for performance. Yes. That's why we originally didn't include a policy-uri option. There were persistent requests that for some use-cases (complex/large site-wide policies) a cached policy more than made up for the initial latency in saved bandwidth on subsequent requests. I prefer in-line policies, but it doesn't hurt to support both and let sites decide which fits their needs better. -Dan Veditz
Received on Friday, 15 April 2011 22:39:43 UTC