ISSUE-58: Late binding of CSP policies
Late binding of CSP
Late binding of CSP policies
- State:
- CLOSED
- Product:
- CSP Level 2
- Raised by:
- Brad Hill
- Opened on:
- 2014-04-08
- Description:
- Need to consider how to handle late-binding of CSP policies.
Right now we say that meta tags are ignored if a policy is present in header.
Sysapps Manifest spec allows specifying a supplemental CSP policy, but the manifest is lazily loaded. Creates interesting issues with initial enforcement, and differences in behavior between first load and subsequent loads once CSP is cached.
http://manifest.sysapps.org/#csp-member
Similar issues seem to exist for ServiceWorkers and CSP. - Related Actions Items:
- No related actions
- Related emails:
- No related emails
Related notes:
Current text states: A policy specified via a meta element will be enforced along with any other policies active for the protected resource, regardless of where they’re specified. The general mechanism for determining the effect of enforcing multiple policies is detailed in the §3.5 Enforcing multiple policies. section.
The webapp manifest recommends that a policy be delivered in a header on initial load, as manifest will be lazy loaded.
Future late-binding interactions, e.g. via an API, are a version Next issue.
Display change log