Re: Granularity of CSP

On Tue, Oct 2, 2012 at 9:35 AM, Peter Hultqvist <phq@silentorbit.com> wrote:
> Is the goal of CSP to be site wide, per document or per request?

Per document.

> Using a HTTP header would suggest being a per request policy but in practice
> I would guess these are more likely set one time in the server configuration
> thus apply to an entire website.
>
> A side question would be why one choses to use HTTP headers for delivery
> rather than something like a robots.txt or crossdomain.xml file.

Fetching robots.txt or crossdomain.xml adds latency, especially
because we'd need to block processing the document until we got its
content security policy.

> I understand that using the header approach gives one much more fine tuning
> abilities thus the cause for the rest of my questions.
>
> Considering a single page of one HTML document and several linked script
> files, some of them being located on third party servers.
>
> How are the Content-Security-Policy applied?

On a per-document basis.  This information is in the specification.

> Does the policy for any document/script take precedence such as the main
> HTML document?

The HTML document's policy is the only one that matters.

> If so can policies be set on a single .js file if the main document does not
> have one?

No.

> Can policies be changed with every page load(by sending a different CSP
> header)?

Yes.

> Can "Not Modified" set a new policy for a locally cached document?

No.  This follows from HTTP semantics.  For example, you can't set a
new Content-Type for the cached document either.

> I can think of a lot of more examples being unclear to me, but I guess a
> quick answer to any of the above would steer what follow up questions I
> might have.

I'd encourage you to read the spec and to play with some of the
existing implementations.  That should help answer these sorts of
questions.

Adam

Received on Wednesday, 3 October 2012 09:43:08 UTC