- From: Brian Smith <brian@briansmith.org>
- Date: Sun, 9 Nov 2014 14:07:19 -0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Below are three test cases regarding the interaction of CSP and the
HTTP Link header, specifically for rel=stylesheet. The question in
each case is whether the bad.css stylesheet should be loaded. I think
this would be a good think to clarify in the spec. In particular, if
<meta> cannot restrict the HTTP Link header, then that is worth
calling out specifically.
I also noticed an interesting study of support for the HTTP LINK
header for rel=stylesheet [1]. It indicates that Firefox and old
versions of Opera are the only major browsers that support the HTTP
LINK header for rel=stylesheet. Perhaps it is a good idea to drop the
HTTP LINK header with rel=stylesheet from HTML? This would be a good
time to decide, because Blink is considering adding support now [2].
Cheers,
Brian
[1] https://greenbytes.de/tech/tc/httplink/
[2] https://code.google.com/p/chromium/issues/detail?id=58456
HTTP/1.1 200 OK
Content-Type: text/html
Content-Security-Policy: style-src 'none'
Link: <bad.css>; REL=stylesheet"
<!DOCTYPE html>
The Content-Security-Policy header precedes the Link header
HTTP/1.1 200 OK
Content-Type: text/html
Link: <bad.css>; REL=stylesheet"
Content-Security-Policy: style-src 'none'
<!DOCTYPE html>
The Content-Security-Policy header follows the Link header.
HTTP/1.1 200 OK
Content-Type: text/html
Link: <bad.css>; REL=stylesheet"
<!DOCTYPE html>
<meta http-equiv=Content-Security-Policy content="style-src 'none'">
The Content-Security-Policy policy is defined using the meta element.
bad.css: body { background-color: red }
Received on Sunday, 9 November 2014 22:07:46 UTC