Re: Granularity of CSP

2012/10/2 Peter Hultqvist <phq@silentorbit.com>

> Is the goal of CSP to be site wide, per document or per request?
>
> Using a HTTP header would suggest being a per request policy

Indeed.


> but in practice I would guess these are more likely set one time in the
> server configuration thus apply to an entire website.
>
You can use always configure your Apache/Tomcat/node.js/RoR so that it
always send the header.

There are different things to address. The web platform need to provide
fine-grain control over the security web devs can apply. This is what CSP
is about. It provides fine-grained bricks to build a fine-tuned security
policy.
I however agree that in a lot of cases, you want a domain-wise. You can
build this with the current spec. You just need to build it yourself.
To be honest, with the open source culture of web development, one
person/company will build it and share it so you don't need to worry about
it. At worst, you'll want to review it, at best, you can trust it'll work
out of the box.

David

Received on Wednesday, 3 October 2012 09:42:22 UTC