- From: Francois Marier <francois@mozilla.com>
- Date: Fri, 13 Feb 2015 20:32:30 +1300
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 13/02/15 19:08, Devdatta Akhawe wrote: > There is a huge advantage to the page wide policy since it makes > reasoning about the security of a web application a lot more > tractable. I would be worried about letting a local element over-ride > the page wide policy As you point out, this is not part of the pull request, but what I was thinking is that the element attribute would take precedence over the page policy (at least the one defined in the meta tag, I'm not entirely sure where the CSP policy would fit in). This is important because it allows someone to say: - no referrer for everything on this page - except for this one link to an internal property because we need the origin and path If we have the meta policy take precedence over the policy in each link, then the web developer in the above example isn't going to be able to use a restrictive global policy. Francois
Received on Friday, 13 February 2015 07:33:04 UTC