W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP: Problems with referrer and reflected-xss

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 18 Jun 2014 00:18:24 -0700
Message-ID: <53A13D40.7070505@mozilla.com>
To: Chris Palmer <palmer@google.com>, Brian Smith <brian@briansmith.org>
CC: Brad Hill <hillbrad@gmail.com>, Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org> 
On 6/16/2014 11:33 AM, Chris Palmer wrote:
> Another solution floated was to have the security policy expressed as
> the resource retrieved from a well-known URI, rather than mashing it
> in headers. Then it could be cached and pre-fetched.

A well-known location means an entire site has to have the same policy
which leads to a weak policy, but early versions of the spec (and
Mozilla's original implementation) did support a header-specified policy
URL for that reason. If a large chunk of your site uses the same policy
then it's cached and fast; if one page needed a unique policy you can do
that, too.

-Dan Veditz
Received on Wednesday, 18 June 2014 07:18:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC