- From: Brian Smith <brian@briansmith.org>
- Date: Mon, 19 Jan 2015 13:53:23 -0800
- To: Mike West <mkwst@google.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, Deian Stefan <deian@cs.stanford.edu>, Brad Hill <hillbrad@fb.com>, Ilya Grigorik <ilya@igvita.com>, Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike West <mkwst@google.com> wrote: > In particular, note the "Processing Complications" section at > https://w3c.github.io/webappsec/specs/CSP2/#complications. > > WDYT? I think this generally looks good. I suggest you replace "In practice, this implies that user agents should wait until all headers have been processed before beginning to prefetch resources" with "User agents MUST wait until all header fields have been received and until all Content-Security-Policy header fields have been processed before fetching or prefetching resources." Note, in particular, the replacement of "should" with "MUST." It would be good to expand the text in the section on <meta> to more explicitly call out what can go wrong with using <meta>-specified policies. The current text is good in pointing out that content that appears before the <meta> element will not be restricted by the policy in the <meta> element, but it would be good to explicitly call out the specific cases we are aware of, .e.g. "In particular, resources fetched or prefetched using Link: HTTP header fields and/or resource fetched or prefetched using <link> elements that precede a <meta> CSP policy will not be restricted by the policy." Cheers, Brian
Received on Monday, 19 January 2015 21:53:50 UTC