- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 11 Feb 2011 10:41:32 -0800
- To: Terri Oda <terri@zone12.com>
- CC: public-web-security@w3.org
On 2/4/11 1:03 PM, Terri Oda wrote: > I vaguely recall that there was a reason a separate policy file was > rejected as an idea in previous CSP discussion. A separate policy file has drawbacks: it's an extra connection and will block page rendering while it's being loaded. The current Mozilla implementation is a synchronous request like an (old-style) <script src=>, but even if we later optimize with async loading we're going to have to block at the first construct that might be covered by a policy. A separate policy file has advantages: it makes the header compact, and if the same policy is appropriate for the whole site (or large sections) then caching helps with the latency problem. As Lucas said we won't know until sites try to deploy, but we imagine in-line policies will be appropriate for simple sites and maybe for sites with per-resource policies generated on the fly, and sites with large complex policies will use policy-uri. On our own sites, for example, http://blog.mozilla.com/security/ uses an in-line policy and https://addons.mozilla.org/ uses an external policy-uri. We're experimenting to see what works (thus the X- header, which we fully expect an official spec to do away with). -Dan Veditz
Received on Friday, 11 February 2011 18:42:44 UTC