- From: Terri Oda <terri@zone12.com>
- Date: Fri, 04 Feb 2011 16:03:35 -0500
- To: public-web-security@w3.org
Daniel Veditz wrote: > The Mozilla CSP spec avoids commas for this reason, using ';' as > delimiters. That way we can split on a comma if found and then > intersect the two policies (tightening restrictions). Otherwise > there might be a rare attack where if you found a potential victim > on a path with a proxy that does that kind of coalescing AND could > inject a second header then you could disable or weaken the CSP > policy for that site. That's actually a really great point and a potential reason for suggesting that we use a header-specific format rather than co-opt any existing one. Headers are subject to additional restrictions that wouldn't apply to existing languages. As such, maybe it really does make more sense to have the header link to an external file or have the policy as stated in the header be a compressed/compiled version of the ones humans would read. I vaguely recall that there was a reason a separate policy file was rejected as an idea in previous CSP discussion. I think it might have been that a separate file was deemed excessive due to the original small size of CSP, but now that CSP has been expanded to be more expressive this seems to be less true. Can anyone refresh our memories as to why and whether those constraints continue to be an issue?
Received on Friday, 4 February 2011 21:04:06 UTC