Re: [CSP] Clarifications regarding the HTTP LINK Header

Brad Hill <> writes:

> I wonder a bit how much this actually matters for the guarantees we're trying to make for CSP?
> If I prefetch something that is later denied to be included / transcluded into a page via CSP, have I violated the policy?
> Even if we decide to use CSP for confinement (which it presently makes no strong guarantees of) is link fetching that happens before the instantiation of a resource in the scope of that confinement?
> I think an example of an actual vulnerability that we would care about addressing would help me reason about this better.

I think you're right, this is not technically a violation of the
policy. Even in the context of confinement. I think the issue is one
mistakenly assuming that the CSP applies to all fetching vs. it only
applying to all subsequent fetches.


Received on Tuesday, 18 November 2014 00:51:07 UTC