- From: Mike West <mkwst@google.com>
- Date: Wed, 7 May 2014 15:11:10 +0200
- To: "Hill, Brad" <bhill@paypal.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAKXHy=fLrDCpsht7-stFm67r8ANMgKrAnsSYDJZazzgmQbCbhA@mail.gmail.com>
Thanks for taking a stab at this! I'm sad that we haven't been able to figure out a way we can agree upon to tighten an existing policy, but I'm happy we'll have a chance to revisit that in CSP 1.1. :) On Tue, May 6, 2014 at 10:54 PM, Hill, Brad <bhill@paypal.com> wrote: > Following up on my action item, I'd like to propose some additional > non-normative text for section 3.1.4, "Enforcing multiple policies" of CSP > 1.1. > > "This version of Content Security Policy does not allow late-binding or > modification of an enforced or monitored policy after one has been > calculated and applied. Therefore, policies supplied in a META tag will > not be applied if a policy from an HTTP header has already been received. > Supplemental policies that are loaded after a resource load is complete > such as policies associated with a ServiceWorker, or manifested with an > installable web application, are treated similarly. What does this mean? Policies associated with workers are distinct from the page's policy (at least, that's how I understood it last time I looked at SW with Jake). > Resources with supplemental policies SHOULD be initially delivered with a > policy in the HTTP header that can be applied on the resource's first > instantiation, and the policy SHOULD be the same as any policy that will be > bound to future instances of the resources to avoid inconsistent > application behavior." > I guess you're thinking about Manifest here? And claiming that applications should deliver the same policy with page loads that they do in the manifest? -mike
Received on Wednesday, 7 May 2014 13:12:03 UTC