Granularity of CSP

Is the goal of CSP to be site wide, per document or per request?

Using a HTTP header would suggest being a per request policy but in 
practice I would guess these are more likely set one time in the server 
configuration thus apply to an entire website.

A side question would be why one choses to use HTTP headers for delivery 
rather than something like a robots.txt or crossdomain.xml file. I 
understand that using the header approach gives one much more fine 
tuning abilities thus the cause for the rest of my questions.

Considering a single page of one HTML document and several linked script 
files, some of them being located on third party servers.

How are the Content-Security-Policy applied?
Does the policy for any document/script take precedence such as the main 
HTML document?
If so can policies be set on a single .js file if the main document does 
not have one?

Can policies be changed with every page load(by sending a different CSP 
header)?
Can "Not Modified" set a new policy for a locally cached document?

I can think of a lot of more examples being unclear to me, but I guess a 
quick answer to any of the above would steer what follow up questions I 
might have.

Received on Wednesday, 3 October 2012 09:26:33 UTC