- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 18 Jun 2013 09:01:44 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <51C08468.5070301@mozilla.com>
Here is a policy-uri proposal. Unlike the original Mozilla implementation that requires policy-uri to be the only directive in a CSP header that contains it, this one treats the fetched policy as an additional header of the same type (following the intersecting multi-header policy already in the spec). Not sure if that's actually useful but made more sense than the punitive action of applying a draconian default-src 'none' policy or unsafely ignoring the policy altogether. I debated adding a "Usage" section listing some of the pros and cons of using policy-uri. Does anyone think we need it? Basically comes down to Con: adds latency to loading the page. Pro: if you have a large complex policy that is used on multiple pages this reduces the size of every page load (after the first). If you have a ridiculously detailed policy--which could happen if we add the script-hash proposal--this could help avoid running into the header-size limitations. This could also be used to make the policy easier to understand and maintain since newlines count as whitespace so the policy can be arranged in a readable way. -Dan Veditz
Attachments
- text/plain attachment: policy-uri.txt
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Tuesday, 18 June 2013 16:02:15 UTC