W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 03 Feb 2011 10:06:46 -0800
Message-ID: <4D4AEEB6.5000300@mozilla.com>
To: Terri Oda <terri@zone12.com>
CC: public-web-security@w3.org
On 2/2/11 10:18 PM, Terri Oda wrote:
> Content-Security-Policy: {
>     script-src: example.com, paypalobjects.com;
> }

One warning about commas -- should there be two headers with the
same name it's permissible for proxies to combine them into one,
separated by a comma.

>From RFC 2616 section 4.2

   It MUST be possible to combine the multiple header fields into
   one "field-name: field-value" pair, without changing the
   semantics of the message, by appending each subsequent
   field-value to the first, each separated by a comma.

I don't know if any proxies commonly do this, but it's permissible.
AFAIK there's no provision for -splitting- headers on commas so your
syntax is still OK as long as you allow for the possibility of "{
policy }, { another header's worth }"

The Mozilla CSP spec avoids commas for this reason, using ';' as
delimiters. That way we can split on a comma if found and then
intersect the two policies (tightening restrictions). Otherwise
there might be a rare attack where if you found a potential victim
on a path with a proxy that does that kind of coalescing AND could
inject a second header then you could disable or weaken the CSP
policy for that site.

-Dan Veditz
Received on Thursday, 3 February 2011 18:07:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 3 February 2011 18:09:19 GMT