Re: [CSP] Clarifications regarding the HTTP LINK Header

On Sun, Nov 9, 2014 at 2:07 PM, Brian Smith <> wrote:

> Below are three test cases regarding the interaction of CSP and the
> HTTP Link header, specifically for rel=stylesheet. The question in
> each case is whether the bad.css stylesheet should be loaded. I think
> this would be a good think to clarify in the spec. In particular, if
> <meta> cannot restrict the HTTP Link header, then that is worth
> calling out specifically.

I also noticed an interesting study of support for the HTTP LINK
> header for rel=stylesheet [1]. It indicates that Firefox and old
> versions of Opera are the only major browsers that support the HTTP
> LINK header for rel=stylesheet. Perhaps it is a good idea to drop the
> HTTP LINK header with rel=stylesheet from HTML? This would be a good
> time to decide, because Blink is considering adding support now [2].

There are legitimate use cases for Link, we should not drop support.

Resource-Hints (rel=preload in particular) is relying on Link to allow
servers+proxies to emit resource hints without modifying the response body.
This is an important use case for CDN's / FEO products / BW-reduction
proxies (Opera, Chrome, etc).


It would be good to clarify in the spec how CSP header interacts with Link.


Received on Tuesday, 11 November 2014 22:47:26 UTC