- From: Deian Stefan <deian@cs.stanford.edu>
- Date: Mon, 17 Nov 2014 16:50:42 -0800
- To: Brad Hill <hillbrad@fb.com>, Ilya Grigorik <ilya@igvita.com>, Anne van Kesteren <annevk@annevk.nl>
- Cc: Brian Smith <brian@briansmith.org>, Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Brad Hill <hillbrad@fb.com> writes: > I wonder a bit how much this actually matters for the guarantees we're trying to make for CSP? > > If I prefetch something that is later denied to be included / transcluded into a page via CSP, have I violated the policy? > > Even if we decide to use CSP for confinement (which it presently makes no strong guarantees of) is link fetching that happens before the instantiation of a resource in the scope of that confinement? > > I think an example of an actual vulnerability that we would care about addressing would help me reason about this better. I think you're right, this is not technically a violation of the policy. Even in the context of confinement. I think the issue is one mistakenly assuming that the CSP applies to all fetching vs. it only applying to all subsequent fetches. Deian
Received on Tuesday, 18 November 2014 00:51:07 UTC