W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP] Clarifications regarding the HTTP LINK Header

From: Brian Smith <brian@briansmith.org>
Date: Mon, 19 Jan 2015 13:53:23 -0800
Message-ID: <CAFewVt53wumj8DCFnT_HMqou90toLgnKvpX0SUYKAre5bjq5-A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Deian Stefan <deian@cs.stanford.edu>, Brad Hill <hillbrad@fb.com>, Ilya Grigorik <ilya@igvita.com>, Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike West <mkwst@google.com> wrote:
> In particular, note the "Processing Complications" section at
> https://w3c.github.io/webappsec/specs/CSP2/#complications.
>
> WDYT?

I think this generally looks good.

I suggest you replace "In practice, this implies that user agents
should wait until all headers have been processed before beginning to
prefetch resources" with "User agents MUST wait until all header
fields have been received and until all Content-Security-Policy header
fields have been processed before fetching or prefetching resources."
Note, in particular, the replacement of "should" with "MUST."

It would be good to expand the text in the section on <meta> to more
explicitly call out what can go wrong with using <meta>-specified
policies. The current text is good in pointing out that content that
appears before the <meta> element will not be restricted by the policy
in the <meta> element, but it would be good to explicitly call out the
specific cases we are aware of, .e.g. "In particular, resources
fetched or prefetched using Link: HTTP header fields and/or resource
fetched or prefetched using <link> elements that precede a <meta> CSP
policy will not be restricted by the policy."

Cheers,
Brian
Received on Monday, 19 January 2015 21:53:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC