- From: Peter Hultqvist <phq@silentorbit.com>
- Date: Wed, 10 Oct 2012 13:44:27 +0200
- To: Adam Barth <w3c@adambarth.com>
- CC: public-webappsec@w3.org
- Message-ID: <50755F9B.2000302@silentorbit.com>
On 10/03/2012 11:42 AM, Adam Barth wrote: > I'd encourage you to read the spec and to play with some of the > existing implementations. That should help answer these sorts of > questions. > > Adam > Thanks for your answers, with those I made a second attempt in reading the specification and have some comments on the document itself. Although for your answers to the "why" questions I did not expect them from the document so great thanks for those. Please correct me if I'm wrong, I have now drawn the conclusion that a "resource representation" can be explained as a tab in a browser including all content therein. The tab has a single policy that is defined by the file retrieved by the URL in the address bar(being HTTP headers or the meta tag). So this would mean that in the future this policy could be applied to a PDF document having embedded JavaScript(although I'm going outside of my area in this statement). Below follows some of my observations of the "resource representation" that made it hard for me to read the specification. https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html About whether the policy applies to the HTML file or separate JavaScript files the "1. Introduction" ends with: Such policies apply to the current resource representation only. To supply a policy for an entire site, the server needs to supply a policy with each resource representation. Not knowing what a "resource representation" is this can easily be interpreted as a single resource such as a JavaScript file. I continued: In section " 2.1 Key Concepts and Terminology" I read: "resource representation is defined in the HTTP 1.1 specification" but opening that document there is no string "resource representation" however there is a "representation" with in my impression a rather vague definition referring to section 12 about content negotiation.
Received on Wednesday, 10 October 2012 11:44:59 UTC