W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

policy-uri proposal (ACTION 97)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 18 Jun 2013 09:01:44 -0700
Message-ID: <51C08468.5070301@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Here is a policy-uri proposal. Unlike the original Mozilla
implementation that requires policy-uri to be the only directive in a
CSP header that contains it, this one treats the fetched policy as an
additional header of the same type (following the intersecting
multi-header policy already in the spec). Not sure if that's actually
useful but made more sense than the punitive action of applying a
draconian default-src 'none' policy or unsafely ignoring the policy
altogether.

I debated adding a "Usage" section listing some of the pros and cons of
using policy-uri. Does anyone think we need it? Basically comes down to

Con: adds latency to loading the page.

Pro: if you have a large complex policy that is used on multiple pages
this reduces the size of every page load (after the first). If you have
a ridiculously detailed policy--which could happen if we add the
script-hash proposal--this could help avoid running into the header-size
limitations.

This could also be used to make the policy easier to understand and
maintain since newlines count as whitespace so the policy can be
arranged in a readable way.

-Dan Veditz




Received on Tuesday, 18 June 2013 16:02:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC