Re: [CSP] Clarifications regarding the HTTP LINK Header

On Mon, Jan 19, 2015 at 10:53 PM, Brian Smith <brian@briansmith.org> wrote:

> I suggest you replace "In practice, this implies that user agents
> should wait until all headers have been processed before beginning to
> prefetch resources" with "User agents MUST wait until all header
> fields have been received and until all Content-Security-Policy header
> fields have been processed before fetching or prefetching resources."
> Note, in particular, the replacement of "should" with "MUST."
>

I think the requirement is already pretty clearly contained in the previous
sentences ("a response returning the following headers ... MUST have the
same behavior"). I've MUSTed the last sentence for good measure, but I'm
not sure it actually adds anything.


> It would be good to expand the text in the section on <meta> to more
> explicitly call out what can go wrong with using <meta>-specified
> policies. The current text is good in pointing out that content that
> appears before the <meta> element will not be restricted by the policy
> in the <meta> element, but it would be good to explicitly call out the
> specific cases we are aware of, .e.g. "In particular, resources
> fetched or prefetched using Link: HTTP header fields and/or resource
> fetched or prefetched using <link> elements that precede a <meta> CSP
> policy will not be restricted by the policy."


Accepted this more or less verbatim.

https://github.com/w3c/webappsec/commit/6c0c6a26c21dd9e664a6770ad05033a0ace4e064

Thanks!

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Tuesday, 20 January 2015 10:40:20 UTC