W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

[CSP] Clarifications regarding the HTTP LINK Header

From: Brian Smith <brian@briansmith.org>
Date: Sun, 9 Nov 2014 14:07:19 -0800
Message-ID: <CAFewVt5TBUeDNKWRiMpRKF3bNXsryEoHzFnLzzGu6RjaEKcMcw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Below are three test cases regarding the interaction of CSP and the
HTTP Link header, specifically for rel=stylesheet. The question in
each case is whether the bad.css stylesheet should be loaded. I think
this would be a good think to clarify in the spec. In particular, if
<meta> cannot restrict the HTTP Link header, then that is worth
calling out specifically.

I also noticed an interesting study of support for the HTTP LINK
header for rel=stylesheet [1]. It indicates that Firefox and old
versions of Opera are the only major browsers that support the HTTP
LINK header for rel=stylesheet. Perhaps it is a good idea to drop the
HTTP LINK header with rel=stylesheet from HTML? This would be a good
time to decide, because Blink is considering adding support now [2].

Cheers,
Brian

[1] https://greenbytes.de/tech/tc/httplink/
[2] https://code.google.com/p/chromium/issues/detail?id=58456


HTTP/1.1 200 OK
Content-Type: text/html
Content-Security-Policy: style-src 'none'
Link: <bad.css>; REL=stylesheet"

<!DOCTYPE html>
The Content-Security-Policy header precedes the Link header


HTTP/1.1 200 OK
Content-Type: text/html
Link: <bad.css>; REL=stylesheet"
Content-Security-Policy: style-src 'none'

<!DOCTYPE html>
The Content-Security-Policy header follows the Link header.


HTTP/1.1 200 OK
Content-Type: text/html
Link: <bad.css>; REL=stylesheet"

<!DOCTYPE html>
<meta http-equiv=Content-Security-Policy content="style-src 'none'">
The Content-Security-Policy policy is defined using the meta element.


bad.css: body { background-color: red }
Received on Sunday, 9 November 2014 22:07:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC