Re: [CSP] Clarifications regarding the HTTP LINK Header

On Thu, Nov 13, 2014 at 8:56 AM, Ilya Grigorik <> wrote:
> On Wed, Nov 12, 2014 at 4:24 PM, Brian Smith <> wrote:
>> It's quite a usability failure, though. We're saying "Hey, here's
>> <meta http-equiv=Content-Security-Policy> to make CSP easier for you
>> to use, but don't use it, because it's not equivalent to the HTTP
>> Content-Security-Policy header."
> I don't think we should claim that they are equivalent.

The syntax ("http-equiv") literally says they are equivalent!

> For best results you need to define your CSP policy as early as possible.
> Specifying it an HTTP header is the best route, as it guarantees that the
> policy can be parsed and applied before any response body bytes are
> processed. The second best option, if you can't use the HTTP header route,
> is to provide an equivalent policy via <meta>, which should be placed as
> early as possible in the document.

Developer tools should warn whenever anything other than "<!DOCTYPE
html>", "<html>", "<head>", or "<meta charset=...>" appear before
"<meta http-equiv=Content-Security-Policy>", regardless of whether it
applies to Link headers.

> I don't think we want to get into the business of "must be in first X bytes"
> -- this, by itself, is a usability problem. Similarly, requiring that we
> wait for <meta> would, once again, force proxies to start flushing fake head
> sections and doing other funny business.

I mostly agree with you. But, don't you already need to wait for <meta
name=Referrer> so that you know which Referer header to send in your
HTTP requests for prefetches that result from HTTP LINK? That is,
doesn't <meta> Referrer have the same problem?

> We should just make it clear that if you're using Link to initiate fetches,
> and you use CSP, then your CSP policy should be provided as an HTTP
> header... which is a security best practice anyway.

The way to make this clear would be to add a note to the HTML
specification, the CSP specification, and the resource hints
specification, and then also have developer tools warn when HTTP LINK
and CSP <meta> are used together.

> Will do, if you want to follow along:



Received on Friday, 14 November 2014 03:06:18 UTC