On Fri, Oct 2, 2009 at 4:21 PM, Julian Reschke <julian.reschke@gmx.de> wrote: > Hi, > > I'm looking at <https://wiki.mozilla.org/Security/CSP/Spec> and find...: > > -- cut -- > X-Content-Security-Policy: allow *; script-src 'self' > X-Content-Security-Policy: allow *; script-src 'self'; media-src 'self'; > -- cut -- > > (<https://wiki.mozilla.org/Security/CSP/Spec#Sample_Policy_Definitions>) > > This violates the HTTP rules for header fields; see > <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.2.p.5>: > > "Multiple message-header fields with the same field-name MAY be present in a > message if and only if the entire field-value for that header field is > defined as a comma-separated list [i.e., #(values)]." Well, given that the syntax for the header isn't clearly defined, I wouldn't say that its a violation (define its value as #(<policy>) and you're done) The issue would more be that <fv-char> (used in <future-value>) and, AFAICT, URI allow commas, unescaped and outside quoted strings or similar delimiting constructs; which makes splitting on comma difficult (splitting on /,\s*allow\s/ should work if i'm reading things correctly, unless a <future-value> contains such a string...) -- Thomas Broyer /tɔ.ma.bʁwa.je/Received on Friday, 2 October 2009 15:53:09 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:11 GMT