- From: Eric Rescorla <ekr@rtfm.com>
- Date: Tue, 17 Jan 2012 13:23:44 -0800
- To: public-webappsec <public-webappsec@w3.org>
I promised (Action 34) to go through the document and make sure that the first policy found is clear. Not sure it is, though. Questions: 3.1.1 reads: Upon receiving an HTTP response containing at least one Content-Security-Policy header field, the user agent must enforce the policy contained in the first such header field. Don't we want to say MUST NOT enforce the policies contained in subsequent header fields? The same question applies to 3.1.2. 3.1.2. reads: Upon receiving an HTTP response containing at least one Content-Security-Policy-Report-Only header field, the user agent must monitor the policy contained in the first such header field. What if I have both a CSP and CSPRO fields. Do I do one monitor and one enforce? 3.1.3. Does this imply that I need to start enforcing as soon as I see the meta element? I don't understand the processing model well enough to know if this means that they must be processed in order. S 4.1.2. reads: Fetch the request URI from origin of the protected document, with the synchronous flag set, using HTTP method GET. I assume that the point of the synchronous flag is to force this fetch to block everything else? Just want to make sure that that is actually the impact. -Ekr
Received on Tuesday, 17 January 2012 21:25:12 UTC