- From: Nataliia Bielova <Nataliia.Bielova@inria.fr>
- Date: Wed, 25 Apr 2012 17:18:25 +0200
- To: public-webappsec@w3.org
- Message-Id: <6E6863E2-C9AE-44A1-A5EC-2CF0DB8855D6@inria.fr>
Dear WebApp Security Group, I would like to ask a couple of questions about CSP (I'm reading the W3C Editor's Draft [1] of 25 April 2011), maybe some of them are not correct, in that case I would like to ask you to let me know. I am looking forward to getting your answers: 1. Is CSP transitive? Imagine a web page at a.com that has a CSP containing only one allowed resource "frame-src: b.com". Let’s assume that b.com has a CSP containing "script-src: c.com". Now, once a frame from b.com has been loaded, can it load and execute a script from c.com? It seems that CSP does not forbids that because there is no explicit "redirection". Think about the same setting in ECMAScript-6, where the "import" directive will be introduced -- then one script can load another script and so on, how will CSP deal with that? 2. Imagine now that a web page contains CSP with "connect-src: x.com". Is it correct that the open() method of XMLHttpRequest and the other two constructors in the specification are allowed to actually make HTTP requests to y.com, but the user agent must act as if it received an empty HTTP response? Thank you very much in advance, Best regards, Nataliia [1] http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html --- Nataliia Bielova PostDoc at INRIA Rennes Bretagne Atlantique Campus universitaire de Beaulieu 35042 Rennes Cedex, France Tel: +33 299 84 75 87
Received on Friday, 27 April 2012 10:32:52 UTC