- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 28 Jul 2016 09:40:52 +0200
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Mike West <mkwst@google.com>, Joel Weinberger <jww@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, "Mike O'Neill" <michael.oneill@baycloud.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jul 28, 2016 at 12:43 AM, Brad Hill <hillbrad@gmail.com> wrote: > 1) If I'm reading this correctly, you could never have a more relaxed CSP > for a specific resource than the baseline value in an Origin Policy due to > the way header combination works for CSP. It seems like some sort of escape > hatch is necessary to disable Origin-Policy processing for a given response? > (or you have to be absolutely 100% certain about the baseline policy > contents and probably still send large delta policies with almost every > request) The opt-out is pointing to a different policy (or not pointing to one at all). That will lead to the browser disregarding the existing policy of course and notably doesn't work for CORS-preflights (too late at that point), but it's a pretty good defense-in-depth that crossdomain.xml didn't offer. -- https://annevankesteren.nl/
Received on Thursday, 28 July 2016 07:41:20 UTC