- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 1 May 2012 10:25:26 -0700
- To: Nataliia Bielova <Nataliia.Bielova@inria.fr>
- Cc: public-webappsec@w3.org
- Message-ID: <CAJE5ia_o3a4hVW=vCnp0buQM=oKvt2zn3cnpHRyaR0eDcEGBLA@mail.gmail.com>
On Wed, Apr 25, 2012 at 8:18 AM, Nataliia Bielova <Nataliia.Bielova@inria.fr > wrote: > Dear WebApp Security Group, > > I would like to ask a couple of questions about CSP (I'm reading the W3C > Editor's Draft [1] of 25 April 2011), maybe some of them are not correct, > in that case I would like to ask you to let me know. I am looking forward > to getting your answers: > > 1. Is CSP transitive? Imagine a web page at a.com that has a CSP > containing only one allowed resource "frame-src: b.com". Let’s assume > that b.com has a CSP containing "script-src: c.com". Now, once a frame > from b.com has been loaded, can it load and execute a script from c.com? > It seems that CSP does not forbids that because there is no explicit > "redirection". > CSP affects only the current frame. The b.com frame is restricted by only it's policy, not the policy of a.com. > Think about the same setting in ECMAScript-6, where the "import" > directive will be introduced -- then one script can load another script and > so on, how will CSP deal with that? > The import directive likely should respect script-src. > 2. Imagine now that a web page contains CSP with "connect-src: x.com". Is > it correct that the open() method of XMLHttpRequest and the other two > constructors in the specification are allowed to actually make HTTP > requests to y.com, but the user agent must act as if it received an empty > HTTP response? > Correct. It's treated like a network error. We use this approach for consistency with the other directives (e.g., img-src). Adam
Received on Tuesday, 1 May 2012 17:26:30 UTC