W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Clarifications regarding the HTTP LINK Header

From: Deian Stefan <deian@cs.stanford.edu>
Date: Mon, 17 Nov 2014 16:50:42 -0800
To: Brad Hill <hillbrad@fb.com>, Ilya Grigorik <ilya@igvita.com>, Anne van Kesteren <annevk@annevk.nl>
Cc: Brian Smith <brian@briansmith.org>, Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Message-ID: <87h9xx2uxp.fsf@cs.stanford.edu>
Brad Hill <hillbrad@fb.com> writes:

> I wonder a bit how much this actually matters for the guarantees we're trying to make for CSP?
>
> If I prefetch something that is later denied to be included / transcluded into a page via CSP, have I violated the policy?
>
> Even if we decide to use CSP for confinement (which it presently makes no strong guarantees of) is link fetching that happens before the instantiation of a resource in the scope of that confinement?
>
> I think an example of an actual vulnerability that we would care about addressing would help me reason about this better.

I think you're right, this is not technically a violation of the
policy. Even in the context of confinement. I think the issue is one
mistakenly assuming that the CSP applies to all fetching vs. it only
applying to all subsequent fetches.

Deian
Received on Tuesday, 18 November 2014 00:51:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC