W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: CSP spec vs listed-type headers

From: Thomas Broyer <t.broyer@gmail.com>
Date: Fri, 2 Oct 2009 17:52:34 +0200
Message-ID: <a9699fd20910020852n6bf3c713r307dfb1c64952b39@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Oct 2, 2009 at 4:21 PM, Julian Reschke <julian.reschke@gmx.de> wrote:
> Hi,
>
> I'm looking at <https://wiki.mozilla.org/Security/CSP/Spec> and find...:
>
> -- cut --
> X-Content-Security-Policy: allow *; script-src 'self'
> X-Content-Security-Policy: allow *; script-src 'self'; media-src 'self';
> -- cut --
>
> (<https://wiki.mozilla.org/Security/CSP/Spec#Sample_Policy_Definitions>)
>
> This violates the HTTP rules for header fields; see
> <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.2.p.5>:
>
> "Multiple message-header fields with the same field-name MAY be present in a
> message if and only if the entire field-value for that header field is
> defined as a comma-separated list [i.e., #(values)]."

Well, given that the syntax for the header isn't clearly defined, I
wouldn't say that its a violation (define its value as #(<policy>) and
you're done)
The issue would more be that <fv-char> (used in <future-value>) and,
AFAICT, URI allow commas, unescaped and outside quoted strings or
similar delimiting constructs; which makes splitting on comma
difficult (splitting on /,\s*allow\s/ should work if i'm reading
things correctly, unless a <future-value> contains such a string...)

-- 
Thomas Broyer
/tɔ.ma.bʁwa.je/
Received on Friday, 2 October 2009 15:53:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:11 GMT