- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 22 Feb 2012 15:57:43 -0800
- To: public-webappsec@w3.org
- Cc: Daniel Veditz <dveditz@mozilla.com>
Rather than include a policy in the Content-Security-Policy header, web sites can use the policy-uri directive to direct the browser to retrieve the CSP policy from a URL: http://www.w3.org/TR/CSP/#policy-uri Content-Security-Policy: policy-uri /my-csp-policy.txt Pro: 1) If sites have long, complicated policies, it might be more efficient for them to transfer their policy to the user agent once (where it will be cached) rather than include the entire policy in each HTTP response. 2) It might be easier to maintain a single, centralized CSP policy rather than updating CSP policies in headers associated with many different resources. Con: 1) Retrieving the CSP policy from another URL slows down the web page because the browser needs to block execution of the page while it fetches the CSP policy. If we include the feature, we're going to spend a lot of time and effort telling developers not to use it because it's going to slow down their pages. For example, YSlow has spent a great deal of effort evangelizing their best practices for speeding up your web site: http://developer.yahoo.com/performance/rules.html The very first item on their list is "Minimize HTTP Requests", which policy-uri violates. They also recommend that sites "Put Scripts at the Bottom" because "they block parallel downloads". Unfortunately, web sites cannot put policy-uri "at the bottom" of their page. It needs to be placed "at the top" where it will block the entire page. Dan Veditz has said that many folks requested that Firefox include the policy-uri directive. However, I haven't seen much evidence of sites actually using this feature. For example, http://www.shodanhq.com/?q=X-Content-Security-Policy turns up around 366 web sites using X-Content-Security-Policy, only one of which appears to be using policy-uri. IMHO, we should remove policy-uri from CSP. Adam
Received on Wednesday, 22 February 2012 23:58:43 UTC