- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 3 Oct 2012 02:42:08 -0700
- To: Peter Hultqvist <phq@silentorbit.com>
- Cc: public-webappsec@w3.org
On Tue, Oct 2, 2012 at 9:35 AM, Peter Hultqvist <phq@silentorbit.com> wrote: > Is the goal of CSP to be site wide, per document or per request? Per document. > Using a HTTP header would suggest being a per request policy but in practice > I would guess these are more likely set one time in the server configuration > thus apply to an entire website. > > A side question would be why one choses to use HTTP headers for delivery > rather than something like a robots.txt or crossdomain.xml file. Fetching robots.txt or crossdomain.xml adds latency, especially because we'd need to block processing the document until we got its content security policy. > I understand that using the header approach gives one much more fine tuning > abilities thus the cause for the rest of my questions. > > Considering a single page of one HTML document and several linked script > files, some of them being located on third party servers. > > How are the Content-Security-Policy applied? On a per-document basis. This information is in the specification. > Does the policy for any document/script take precedence such as the main > HTML document? The HTML document's policy is the only one that matters. > If so can policies be set on a single .js file if the main document does not > have one? No. > Can policies be changed with every page load(by sending a different CSP > header)? Yes. > Can "Not Modified" set a new policy for a locally cached document? No. This follows from HTTP semantics. For example, you can't set a new Content-Type for the cached document either. > I can think of a lot of more examples being unclear to me, but I guess a > quick answer to any of the above would steer what follow up questions I > might have. I'd encourage you to read the spec and to play with some of the existing implementations. That should help answer these sorts of questions. Adam
Received on Wednesday, 3 October 2012 09:43:08 UTC