ISSUE-58: Late binding of CSP policies

Late binding of CSP

Late binding of CSP policies

CSP Level 2
Raised by:
Brad Hill
Opened on:
Need to consider how to handle late-binding of CSP policies.

Right now we say that meta tags are ignored if a policy is present in header.

Sysapps Manifest spec allows specifying a supplemental CSP policy, but the manifest is lazily loaded. Creates interesting issues with initial enforcement, and differences in behavior between first load and subsequent loads once CSP is cached.

Similar issues seem to exist for ServiceWorkers and CSP.
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

Current text states: A policy specified via a meta element will be enforced along with any other policies active for the protected resource, regardless of where they’re specified. The general mechanism for determining the effect of enforcing multiple policies is detailed in the §3.5 Enforcing multiple policies. section.

The webapp manifest recommends that a policy be delivered in a header on initial load, as manifest will be lazy loaded.

Future late-binding interactions, e.g. via an API, are a version Next issue.

Brad Hill, 27 Oct 2014, 04:13:58

Display change log ATOM feed

Daniel Veditz <>, Mike West <>, Chairs, Wendy Seltzer <>, Samuel Weiler <>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 58.html,v 1.1 2020/01/17 08:52:37 carcone Exp $