CSP 1.1: Non-normative note about the limits of the script interface.
authorMike West <mkwst@google.com>
Tue, 29 Jan 2013 22:45:56 +0100
changeset 1823affa0c38706
parent 181 748bf7da3690
child 183 001dc8e8bcc3
CSP 1.1: Non-normative note about the limits of the script interface.

The script interface as currently defined by CSP 1.1 only gives insight into
the state of the page's CSP. It does not promise that allowed origins are, in
fact, _accessible_. CORS, same-origin policy, etc. will all place additional
limitations on requests above and beyond CSP. Now that's explicit in the spec.
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Tue Jan 29 22:37:12 2013 +0100
     1.2 +++ b/csp-specification.dev.html	Tue Jan 29 22:45:56 2013 +0100
     1.3 @@ -901,6 +901,12 @@
     1.4                            &amp;&amp; document.SecurityPolicy.allowsImageFrom('https://img.example.com/path/to/img.png'));</pre>
     1.5              </li>
     1.6            </ul>
     1.7 +          <p>Note that this interface only provides insight into the origins
     1.8 +          allowed by the page's Content Security Policy. That, of course, is
     1.9 +          not the only restriction that might be in place. Just because CSP
    1.10 +          allows you to make <code>XMLHttpReqests</code> to
    1.11 +          <code>https://bank.example.com/</code> doesn't mean that the request
    1.12 +          will go through cleanly.</p>
    1.13          </section>
    1.14        </section>
    1.15      </section>