W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

CSP spec vs listed-type headers

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 02 Oct 2009 16:21:52 +0200
Message-ID: <4AC60C80.1060808@gmx.de>
To: HTTP Working Group <ietf-http-wg@w3.org>

I'm looking at <https://wiki.mozilla.org/Security/CSP/Spec> and find...:

-- cut --
X-Content-Security-Policy: allow *; script-src 'self'
X-Content-Security-Policy: allow *; script-src 'self'; media-src 'self';
-- cut --


This violates the HTTP rules for header fields; see 

"Multiple message-header fields with the same field-name MAY be present 
in a message if and only if the entire field-value for that header field 
is defined as a comma-separated list [i.e., #(values)]."

BR, Julian
Received on Friday, 2 October 2009 14:22:35 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:51 UTC