W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2014

Re: [webappsec] re: ISSUE-58, late-binding of policies

From: Mike West <mkwst@google.com>
Date: Wed, 7 May 2014 15:11:10 +0200
Message-ID: <CAKXHy=fLrDCpsht7-stFm67r8ANMgKrAnsSYDJZazzgmQbCbhA@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
Thanks for taking a stab at this! I'm sad that we haven't been able to
figure out a way we can agree upon to tighten an existing policy, but I'm
happy we'll have a chance to revisit that in CSP 1.1. :)

On Tue, May 6, 2014 at 10:54 PM, Hill, Brad <bhill@paypal.com> wrote:

> Following up on my action item, I'd like to propose some additional
> non-normative text for section 3.1.4, "Enforcing multiple policies" of CSP
> 1.1.
>
> "This version of Content Security Policy does not allow late-binding or
> modification of an enforced or monitored policy after one has been
> calculated and applied.  Therefore, policies supplied in a META tag will
> not be applied if a policy from an HTTP header has already been received.
>  Supplemental policies that are loaded after a resource load is complete
> such as policies associated with a ServiceWorker, or manifested with an
> installable web application, are treated similarly.


What does this mean? Policies associated with workers are distinct from the
page's policy (at least, that's how I understood it last time I looked at
SW with Jake).


> Resources with supplemental policies SHOULD be initially delivered with a
> policy in the HTTP header that can be applied on the resource's first
> instantiation, and the policy SHOULD be the same as any policy that will be
> bound to future instances of the resources to avoid inconsistent
> application behavior."
>

I guess you're thinking about Manifest here? And claiming that applications
should deliver the same policy with page loads that they do in the manifest?

-mike
Received on Wednesday, 7 May 2014 13:12:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC