Re: [webappsec] re: ISSUE-58, late-binding of policies

Thanks for taking a stab at this! I'm sad that we haven't been able to
figure out a way we can agree upon to tighten an existing policy, but I'm
happy we'll have a chance to revisit that in CSP 1.1. :)

On Tue, May 6, 2014 at 10:54 PM, Hill, Brad <> wrote:

> Following up on my action item, I'd like to propose some additional
> non-normative text for section 3.1.4, "Enforcing multiple policies" of CSP
> 1.1.
> "This version of Content Security Policy does not allow late-binding or
> modification of an enforced or monitored policy after one has been
> calculated and applied.  Therefore, policies supplied in a META tag will
> not be applied if a policy from an HTTP header has already been received.
>  Supplemental policies that are loaded after a resource load is complete
> such as policies associated with a ServiceWorker, or manifested with an
> installable web application, are treated similarly.

What does this mean? Policies associated with workers are distinct from the
page's policy (at least, that's how I understood it last time I looked at
SW with Jake).

> Resources with supplemental policies SHOULD be initially delivered with a
> policy in the HTTP header that can be applied on the resource's first
> instantiation, and the policy SHOULD be the same as any policy that will be
> bound to future instances of the resources to avoid inconsistent
> application behavior."

I guess you're thinking about Manifest here? And claiming that applications
should deliver the same policy with page loads that they do in the manifest?


Received on Wednesday, 7 May 2014 13:12:03 UTC