Re: [CSP] Clarifications regarding the HTTP LINK Header

On Tue, Nov 11, 2014 at 3:56 PM, Brian Smith <brian@briansmith.org> wrote:

> On Tue, Nov 11, 2014 at 2:46 PM, Ilya Grigorik <igrigorik@gmail.com>
> wrote:
> >> I also noticed an interesting study of support for the HTTP LINK
> >> header for rel=stylesheet [1]. It indicates that Firefox and old
> >> versions of Opera are the only major browsers that support the HTTP
> >> LINK header for rel=stylesheet. Perhaps it is a good idea to drop the
> >> HTTP LINK header with rel=stylesheet from HTML? This would be a good
> >> time to decide, because Blink is considering adding support now [2].
> >
> > There are legitimate use cases for Link, we should not drop support.
> >
> > Resource-Hints (rel=preload in particular) is relying on Link to allow
> > servers+proxies to emit resource hints without modifying the response
> body.
> > This is an important use case for CDN's / FEO products / BW-reduction
> > proxies (Opera, Chrome, etc).
>
> My question was not whether we should drop support for any/all Link
> relations. My question was specifically about dropping support for the
> HTTP LINK header with rel=stylesheet.
>

Why? It's a legitimate use case, and I don't think there is anything about
rel=stylesheet that can't be addressed (see below).


> >
> http://w3c.github.io/resource-hints/#developer-server-and-proxy-generated-hints-preload
> >
> > It would be good to clarify in the spec how CSP header interacts with
> Link.
>
> I agree. And, in particular, it would be good to call out what is to
> happen when <meta http-equiv=Content-Security-Policy> is used with
> Link rel=preload and how it affects any/all other prefetching,
> especially preloading done as part of the prescanner.


"Authors are strongly encouraged to place the meta element as early in the
document as possible to reduce the risk of content injection before a
protective policy can be read and enforced." [1]

What we're discussing here is an extension of the same problem:

- Link header can initiate a download before any response body bytes are
received and before <meta> policy is processed and applied.
-- To guard for this, you should specify your CSP policy in the HTTP
header: guarantees that the policy is applied against and before *all*
requests.
-- HTTP headers can be re-ordered in transit, we can require that Link
fetches are delayed until headers are processed (except for Trailers).

ig

[1]
https://w3c.github.io/webappsec/specs/content-security-policy/#delivery-html-meta-element

Received on Wednesday, 12 November 2014 22:55:23 UTC