W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

CSP spec vs listed-type headers

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 02 Oct 2009 16:21:52 +0200
Message-ID: <4AC60C80.1060808@gmx.de>
To: HTTP Working Group <ietf-http-wg@w3.org>
Hi,

I'm looking at <https://wiki.mozilla.org/Security/CSP/Spec> and find...:

-- cut --
X-Content-Security-Policy: allow *; script-src 'self'
X-Content-Security-Policy: allow *; script-src 'self'; media-src 'self';
-- cut --

(<https://wiki.mozilla.org/Security/CSP/Spec#Sample_Policy_Definitions>)

This violates the HTTP rules for header fields; see 
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.2.p.5>:

"Multiple message-header fields with the same field-name MAY be present 
in a message if and only if the entire field-value for that header field 
is defined as a comma-separated list [i.e., #(values)]."

BR, Julian
Received on Friday, 2 October 2009 14:22:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:11 GMT