Re: [CSP2] Large CSP headers from Aaron Goldman on 2019-12-30 (public-webappsec@w3.org from December 2019)

From: Aaron Goldman <goldmanaaron@gmail.com>
Date: Mon, 30 Dec 2019 11:25:54 -0800
To: Daniel Veditz <dveditz@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAE6sXqgs-PsfMtZP11g9Wood7d652WfqUTnnhTydSnTpoEuW5w@mail.gmail.com>

I did not know that used to be there but policy-uri directive is very close
to what I would have recommend.
costs some latency on first access but may be worth it to save the
bandwidth on every request

On Mon, Dec 30, 2019 at 11:04 AM Daniel Veditz <dveditz@mozilla.com> wrote:

> On Mon, Dec 30, 2019 at 7:53 AM Aaron Goldman <goldmanaaron@gmail.com>
> wrote:
>
>> Is it time to seriously consider adding includes to the csp spec
>> Large headers that could be chached if they where included from a URL are
>> becoming a common problem
>>
>
> re-adding it, you mean?
> https://www.w3.org/TR/2011/WD-CSP-20111129/#policy-uri  (Firefox even had
> an implementation but we didn't see much interest in using it at the time.)
>
> The Origin Policy proposal has always had CSP redundancy as one of the
> problems that could be solved. Early days for that spec, though.
> https://github.com/WICG/origin-policy
>
> -Dan Veditz
>
>

Received on Monday, 30 December 2019 19:26:08 UTC