Logic issue with resource hint check with multiple conflicting policies #587
Comments
|
I don't think it's crazy to say that we evaluate each policy in isolation, decide whether it allows or denies a particular resource load, and then take the union of those decisions to determine whether the resource can actually load. In this particular case, it leads to a somewhat counter-intuitive result, but I don't think it's worth adding additional complexity by doing some directive-by-directive evaluation for preloads, nor do I think it makes sense to prevent preloads entirely on sites that start with a I'd be happy with simply documenting this edge case in the privacy considerations section, and calling it done. :) |
|
To make one more point: I think "This is wrong, as it allows the document to add policies that override previous policies in a way that's less restrictive." is incorrect: both policies enable preloads of any resource. Neither reduces the restrictiveness of a previous policy in that respect. |
|
You're right. Will add a note. |
Given the following policies
CSP: script-src 'none'; style-src '*'; default-src 'none'CSP: script-src '*'; style-src 'none'; default-src 'none'The current algorithm would allow prefetches.
This is wrong, as it allows the document to add policies that override previous policies in a way that's less restrictive.
The resource hint checks should only allow non-default directives to override the default if they're permissive throughout.
I wonder if we should perhaps simplify this whole thing and make prefetch use default-src without permissive overrides.
@mikewest @antosart
The text was updated successfully, but these errors were encountered: