- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 24 Mar 2012 16:08:33 -0700
- To: Tobias Gondrom <tobias.gondrom@gondrom.org>
- Cc: public-web-security@w3.org
Hi Tobias, On Sat, Mar 24, 2012 at 3:05 AM, Tobias Gondrom <tobias.gondrom@gondrom.org> wrote: > very nice progress with the CSP and looking forward to this. Thanks. > A small comment. > (In case it's already been dealt with, please my apologies for missing it): > > regarding section 3.1.2 Content-Security-Policy-Report-Only Header Field > says: > "If a server supplies at least one Content-Security-Policy-Report-Only > header field in an HTTP response, the server must not supply any > Content-Security-Policy header fields." I think you might be reading the TR version of the spec, which doesn't reflect the latest edits. That sentence no longer exits in the lastest version of the spec: http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html Specially, it's now ok to supply both a Report-Only and a regular CSP policy (so that folks can test out new policies in report-only mode while continuing to use their old policies). > And on a personal note: I wonder whether it may be useful to stress more > that it would be strongly recommended to use TLS/SSL channel protection for > CSP headers to protect their integrity (as with plain http MitM can not only > read the channel but by injecting a different CSP-header could potentially > abuse CSP-reporting functionality? What do you think? That's a good idea. I'll add something to that effect to the security considerations section. Thanks! Adam
Received on Saturday, 24 March 2012 23:09:34 UTC