- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 7 May 2012 01:54:54 -0700
- To: public-webappsec@w3.org
tl;dr: CSP 1.0 is now located at http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html and contains the changes discussed at the face-to-face. Based on the discussion at the recent face-to-face, I've made the following changes: 1) I've included Brad Hill's advice to server operators: http://dvcs.w3.org/hg/content-security-policy/rev/eea1c214cc85 I made an editorial pass over Brad's text to address a bunch of nits (e.g., only using "may" in the normative sense). Hopefully I haven't butchered his text too badly. Feedback welcome. :) 2) Somewhat more controversially, I've changed the behavior when the user agent receives more than one policy. At the face-to-face, we discussed having the user agent enforce a policy of default-src 'none' in this case, but during the test jam, I realized that user agents are going to need to implement policy combination anyway to deal with vendor prefixes. Given that user agents are going to need to implement policy combination, it's more sensible for user agents to enforce all for the policies they receive rather than failing in an obnoxious way: http://dvcs.w3.org/hg/content-security-policy/rev/96603653094a Note: The document still forbids servers from sending more than one Content-Security-Policy header. IMHO, that's still a good idea because intermediaries can still combine or otherwise mangle multiple instances of the same header field. I've added some explanatory text around this topic. Obviously, your thoughts on this topic are most welcome. 3) As discussed at the face-to-face, the spec now requires user agents to enforce the policy default-src 'none' if they encounter a CSP policy with a comma: http://dvcs.w3.org/hg/content-security-policy/rev/7e995988d564 Such a policy is likely the result of network intermediaries mangling the policy. 4) As discussed at the face-to-face, I've removed the sandbox directive from CSP 1.0: http://dvcs.w3.org/hg/content-security-policy/rev/dd1f7a1cd84f Fear not, sandbox fans. The sandbox directive now appears in CSP 1.1 (see my next email). 5) I've also made a few editorial cleanups (see the Hg log for details if you care). 6) Finally, I've moved the CSP 1.0 spec to <http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html>. Hopefully we'll be able to stabilize this document and ship CSP 1.0 in short order. Thanks all, Adam
Received on Monday, 7 May 2012 08:56:04 UTC