W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2014

[webappsec] re: ISSUE-58, late-binding of policies

From: Hill, Brad <bhill@paypal.com>
Date: Tue, 6 May 2014 20:54:11 +0000
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <E7FE84D6-2BEC-4C68-8768-DCC616859BA2@paypal.com>
Following up on my action item, I'd like to propose some additional non-normative text for section 3.1.4, "Enforcing multiple policies" of CSP 1.1.

"This version of Content Security Policy does not allow late-binding or modification of an enforced or monitored policy after one has been calculated and applied.  Therefore, policies supplied in a META tag will not be applied if a policy from an HTTP header has already been received.  Supplemental policies that are loaded after a resource load is complete such as policies associated with a ServiceWorker, or manifested with an installable web application, are treated similarly.  Resources with supplemental policies SHOULD be initially delivered with a policy in the HTTP header that can be applied on the resource's first instantiation, and the policy SHOULD be the same as any policy that will be bound to future instances of the resources to avoid inconsistent application behavior."

-Brad
Received on Tuesday, 6 May 2014 20:54:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC