- From: Ilya Grigorik <igrigorik@gmail.com>
- Date: Tue, 11 Nov 2014 14:46:20 -0800
- To: Brian Smith <brian@briansmith.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKRe7JF-UVgVE+OpVKq3h2+F0aCNLY=H+h=fXFh1kxUCBvq1=A@mail.gmail.com>
On Sun, Nov 9, 2014 at 2:07 PM, Brian Smith <brian@briansmith.org> wrote: > Below are three test cases regarding the interaction of CSP and the > HTTP Link header, specifically for rel=stylesheet. The question in > each case is whether the bad.css stylesheet should be loaded. I think > this would be a good think to clarify in the spec. In particular, if > <meta> cannot restrict the HTTP Link header, then that is worth > calling out specifically. I also noticed an interesting study of support for the HTTP LINK > header for rel=stylesheet [1]. It indicates that Firefox and old > versions of Opera are the only major browsers that support the HTTP > LINK header for rel=stylesheet. Perhaps it is a good idea to drop the > HTTP LINK header with rel=stylesheet from HTML? This would be a good > time to decide, because Blink is considering adding support now [2]. > There are legitimate use cases for Link, we should not drop support. Resource-Hints (rel=preload in particular) is relying on Link to allow servers+proxies to emit resource hints without modifying the response body. This is an important use case for CDN's / FEO products / BW-reduction proxies (Opera, Chrome, etc). - http://w3c.github.io/resource-hints/#interoperability-with-http-link-header - http://w3c.github.io/resource-hints/#developer-server-and-proxy-generated-hints-preload It would be good to clarify in the spec how CSP header interacts with Link. ig
Received on Tuesday, 11 November 2014 22:47:26 UTC