W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Clarifications regarding the HTTP LINK Header

From: Ilya Grigorik <igrigorik@gmail.com>
Date: Tue, 11 Nov 2014 14:46:20 -0800
Message-ID: <CAKRe7JF-UVgVE+OpVKq3h2+F0aCNLY=H+h=fXFh1kxUCBvq1=A@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Nov 9, 2014 at 2:07 PM, Brian Smith <brian@briansmith.org> wrote:

> Below are three test cases regarding the interaction of CSP and the
> HTTP Link header, specifically for rel=stylesheet. The question in
> each case is whether the bad.css stylesheet should be loaded. I think
> this would be a good think to clarify in the spec. In particular, if
> <meta> cannot restrict the HTTP Link header, then that is worth
> calling out specifically.

I also noticed an interesting study of support for the HTTP LINK
> header for rel=stylesheet [1]. It indicates that Firefox and old
> versions of Opera are the only major browsers that support the HTTP
> LINK header for rel=stylesheet. Perhaps it is a good idea to drop the
> HTTP LINK header with rel=stylesheet from HTML? This would be a good
> time to decide, because Blink is considering adding support now [2].
>

There are legitimate use cases for Link, we should not drop support.

Resource-Hints (rel=preload in particular) is relying on Link to allow
servers+proxies to emit resource hints without modifying the response body.
This is an important use case for CDN's / FEO products / BW-reduction
proxies (Opera, Chrome, etc).

-
http://w3c.github.io/resource-hints/#interoperability-with-http-link-header
-
http://w3c.github.io/resource-hints/#developer-server-and-proxy-generated-hints-preload

It would be good to clarify in the spec how CSP header interacts with Link.

ig
Received on Tuesday, 11 November 2014 22:47:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC