Logic issue with resource hint check with multiple conflicting policies

[noamr]

Given the following policies CSP: script-src 'none'; style-src '*'; default-src 'none' CSP: script-src '*'; style-src 'none'; default-src 'none'

The current algorithm would allow prefetches. This is wrong, as it allows the document to add policies that override previous policies in a way that's less restrictive. The resource hint checks should only allow non-default directives to override the default if they're permissive throughout.

I wonder if we should perhaps simplify this whole thing and make prefetch use default-src without permissive overrides. @mikewest @antosart

[mikewest]

I don't think it's crazy to say that we evaluate each policy in isolation, decide whether it allows or denies a particular resource load, and then take the union of those decisions to determine whether the resource can actually load.

In this particular case, it leads to a somewhat counter-intuitive result, but I don't think it's worth adding additional complexity by doing some directive-by-directive evaluation for preloads, nor do I think it makes sense to prevent preloads entirely on sites that start with a default-src 'none' lockdown and add specific types individually.

I'd be happy with simply documenting this edge case in the privacy considerations section, and calling it done. :)

[mikewest]

To make one more point: I think "This is wrong, as it allows the document to add policies that override previous policies in a way that's less restrictive." is incorrect: both policies enable preloads of any resource. Neither reduces the restrictiveness of a previous policy in that respect.

[noamr]

You're right. Will add a note.