webappsec-ISSUE-58 (Late binding of CSP): Late binding of CSP policies [CSP 1.1] from Web Application Security Working Group Issue Tracker on 2014-04-08 (public-webappsec@w3.org from April 2014)

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 08 Apr 2014 16:50:27 +0000
To: public-webappsec@w3.org
Message-Id: <E1WXZEB-000112-Pa@shauna.w3.org>

webappsec-ISSUE-58 (Late binding of CSP): Late binding of CSP policies [CSP 1.1]

http://www.w3.org/2011/webappsec/track/issues/58

Raised by: Brad Hill
On product: CSP 1.1

Need to consider how to handle late-binding of CSP policies.

Right now we say that meta tags are ignored if a policy is present in header.

Sysapps Manifest spec allows specifying a supplemental CSP policy, but the manifest is lazily loaded.  Creates interesting issues with initial enforcement, and differences in behavior between first load and subsequent loads once CSP is cached.

http://manifest.sysapps.org/#csp-member

Similar issues seem to exist for ServiceWorkers and CSP.

Received on Tuesday, 8 April 2014 16:50:28 UTC