Re: [CSP] Clarifications regarding the HTTP LINK Header

Mike West <mkwst@google.com> wrote:
> In particular, note the "Processing Complications" section at
> https://w3c.github.io/webappsec/specs/CSP2/#complications.
>
> WDYT?

I think this generally looks good.

I suggest you replace "In practice, this implies that user agents
should wait until all headers have been processed before beginning to
prefetch resources" with "User agents MUST wait until all header
fields have been received and until all Content-Security-Policy header
fields have been processed before fetching or prefetching resources."
Note, in particular, the replacement of "should" with "MUST."

It would be good to expand the text in the section on <meta> to more
explicitly call out what can go wrong with using <meta>-specified
policies. The current text is good in pointing out that content that
appears before the <meta> element will not be restricted by the policy
in the <meta> element, but it would be good to explicitly call out the
specific cases we are aware of, .e.g. "In particular, resources
fetched or prefetched using Link: HTTP header fields and/or resource
fetched or prefetched using <link> elements that precede a <meta> CSP
policy will not be restricted by the policy."

Cheers,
Brian

Received on Monday, 19 January 2015 21:53:50 UTC