Re: Granularity of CSP

On Wed, Oct 10, 2012 at 4:44 AM, Peter Hultqvist <> wrote:
> On 10/03/2012 11:42 AM, Adam Barth wrote:
>> I'd encourage you to read the spec and to play with some of the
>> existing implementations.  That should help answer these sorts of
>> questions.
> Thanks for your answers, with those I made a second attempt in reading the
> specification and have some comments on the document itself. Although for
> your answers to the "why" questions I did not expect them from the document
> so great thanks for those.
> Please correct me if I'm wrong, I have now drawn the conclusion that a
> "resource representation" can be explained as a tab in a browser including
> all content therein.

That's not correct.  See, for example,

> The tab has a single policy that is defined by the file
> retrieved by the URL in the address bar(being HTTP headers or the meta tag).
> So this would mean that in the future this policy could be applied to a PDF
> document having embedded JavaScript(although I'm going outside of my area in
> this statement).

That's true, but unrelated to your previous statements.

> Below follows some of my observations of the "resource representation" that
> made it hard for me to read the specification.
> About whether the policy applies to the HTML file or separate JavaScript
> files the "1. Introduction" ends with:
> Such policies apply to the current resource representation only. To supply a
> policy for an entire site, the server needs to supply a policy with each
> resource representation.
> Not knowing what a "resource representation" is this can easily be
> interpreted as a single resource such as a JavaScript file.

If you don't know what a resource representation is, you're going to
have trouble understanding the specification.  What's why we refer to
other specifications that define these basic terms.


Received on Thursday, 11 October 2012 00:23:24 UTC