- From: Tobias Gondrom <tobias.gondrom@gondrom.org>
- Date: Sat, 24 Mar 2012 10:05:46 +0000
- To: public-web-security@w3.org
Hello, very nice progress with the CSP and looking forward to this. A small comment. (In case it's already been dealt with, please my apologies for missing it): regarding section 3.1.2 Content-Security-Policy-Report-Only Header Field says: "If a server supplies at least one Content-Security-Policy-Report-Only header field in an HTTP response, the server must not supply any Content-Security-Policy header fields." It does not state what the client MUST do in case of receiving this combination. I would assume, something like: "A server MUST NOT provide Content-Security-Policy header field(s) and Content-Security-Policy-Report-Only header field(s) in the same HTTP response. If a client received both header fields in a response, it MUST discard all Content-Security-Policy-Report-Only header fields and MUST enforce the Content-Security-Policy header field. A warning SHOULD be send to the report URI as specified in the Content-Security-Policy, if the report address is specified." Would that be a correct assumption? And on a personal note: I wonder whether it may be useful to stress more that it would be strongly recommended to use TLS/SSL channel protection for CSP headers to protect their integrity (as with plain http MitM can not only read the channel but by injecting a different CSP-header could potentially abuse CSP-reporting functionality? What do you think? Best regards, Tobias (ietf websec) Tobias Gondrom email: tobias.gondrom@gondrom.org mobile: +447521003005
Received on Saturday, 24 March 2012 10:06:11 UTC