- From: David Bruant <bruant.d@gmail.com>
- Date: Wed, 3 Oct 2012 11:41:54 +0200
- To: Peter Hultqvist <phq@silentorbit.com>
- Cc: public-webappsec@w3.org
Received on Wednesday, 3 October 2012 09:42:22 UTC
2012/10/2 Peter Hultqvist <phq@silentorbit.com> > Is the goal of CSP to be site wide, per document or per request? > > Using a HTTP header would suggest being a per request policy Indeed. > but in practice I would guess these are more likely set one time in the > server configuration thus apply to an entire website. > You can use always configure your Apache/Tomcat/node.js/RoR so that it always send the header. There are different things to address. The web platform need to provide fine-grain control over the security web devs can apply. This is what CSP is about. It provides fine-grained bricks to build a fine-tuned security policy. I however agree that in a lot of cases, you want a domain-wise. You can build this with the current spec. You just need to build it yourself. To be honest, with the open source culture of web development, one person/company will build it and share it so you don't need to worry about it. At worst, you'll want to review it, at best, you can trust it'll work out of the box. David
Received on Wednesday, 3 October 2012 09:42:22 UTC