Re: CSP: Problems with referrer and reflected-xss

On Mon, Jun 16, 2014 at 2:41 AM, Brian Smith <> wrote:

> I don't think that consolidation is happening; look at Public-Key-Pins and
> HSTS and CORS and many other things that are in separate header fields.

FWIW, I tried at first to have HPKP be an extension of HSTS, but the
IETF Working Group didn't want that. I still think it would have been
better if HPKP had been an extension of HSTS.

Generally I strongly support the consolidation for the cognitive load
reason. However, note that there was a lot of concern about header
bloat (e.g. a large set of HPKP pins could be 200 – 400 bytes, and
people were freaking out). I never bought into the bloat idea — I'm a
lot more concerned about all that plain text that nobody remembers to
gzip, and all the 1 MiB JPEGs that have height and width set to 400px
in HTML — but there you have it. Expect pushback on that front.

Another solution floated was to have the security policy expressed as
the resource retrieved from a well-known URI, rather than mashing it
in headers. Then it could be cached and pre-fetched.

Received on Monday, 16 June 2014 18:34:00 UTC