CSP transitivity and connect-src question

Dear WebApp Security Group,

I would like to ask a couple of questions about CSP (I'm reading the W3C Editor's Draft [1] of 25 April 2011), maybe some of them are not correct, in that case I would like to ask you to let me know. I am looking forward to getting your answers:

1. Is CSP transitive? Imagine a web page at a.com that has a CSP containing only one allowed resource "frame-src: b.com". Letís assume that b.com has a CSP containing "script-src: c.com". Now, once a frame from b.com has been loaded, can it load and execute a script from c.com? It seems that CSP does not forbids that because there is no explicit "redirection". 

Think about the same setting in ECMAScript-6, where the "import" directive will be introduced -- then one script can load another script and so on, how will CSP deal with that?

2. Imagine now that a web page contains CSP with "connect-src: x.com". Is it correct that the open() method of XMLHttpRequest and the other two constructors in the specification are allowed to actually make HTTP requests to y.com, but the user agent must act as if it received an empty HTTP response?

Thank you very much in advance,
Best regards,

[1] http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html

Nataliia Bielova
PostDoc at INRIA Rennes Bretagne Atlantique
Campus universitaire de Beaulieu
35042 Rennes Cedex, France
Tel: +33 299 84 75 87

Received on Friday, 27 April 2012 10:32:52 UTC