Merge pull request #2013 from w3c/csp

Add paragraph about origin-specific security headers being hard to use in EPUB
w3c · Mar 2, 2022 · 19b9eac · 19b9eac
2 parents 8ca3177 + 37d730d
commit 19b9eac
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/epub33/core/index.html b/epub33/core/index.html
@@ -8817,6 +8817,13 @@ <h3>Threat Model</h3>
 						<p>Checking for malware and exploits at distribution time is not always reliable, either, as the
 							malicious content can be swapped in any time after publication, unlike resources that come
 							embedded in the EPUB Container.</p>
+						<p>The <a href="#sec-container-iri">origin</a> of an EPUB is both unknown to the EPUB Creator and
+							specific to each Reading System implementation. Consequently, if the EPUB Creator hosts remote
+							resources on a web server they control, the server effectively cannot use security features that
+							require specifying allowable origins, such as headers for
+							<a href="https://fetch.spec.whatwg.org/#cors-protocol">CORS</a>,
+							<a href="https://www.w3.org/TR/CSP2/#content-security-policy-header-field"><code>Content-Security-Policy</code></a>,
+							or <a href="https://www.rfc-editor.org/rfc/rfc7034"><code>X-Frame-Options</code></a>.</p>
 					</dd>
 
 					<dt>Linking to external resources</dt>

diff --git a/epub33/rs/index.html b/epub33/rs/index.html
@@ -2156,6 +2156,13 @@ <h3>Threat Model</h3>
 						<p>Calls to remote resources can also be used to track information about users (e.g., through
 							server logs). Reading Systems should limit the information they expose through HTTP requests
 							to only what is essential to obtain the resource.</p>
+						<p>The <a href="#sec-container-iri">origin</a> of an EPUB is both unknown to the EPUB Creator and
+							specific to each Reading System implementation. Consequently, if the EPUB Creator hosts remote
+							resources on a web server they control, the server effectively cannot use security features that
+							require specifying allowable origins, such as headers for
+							<a href="https://fetch.spec.whatwg.org/#cors-protocol">CORS</a>,
+							<a href="https://www.w3.org/TR/CSP2/#content-security-policy-header-field"><code>Content-Security-Policy</code></a>,
+							or <a href="https://www.rfc-editor.org/rfc/rfc7034"><code>X-Frame-Options</code></a>.</p>
 					</dd>
 
 					<dt>External links</dt>