W3C home > Mailing lists > Public > public-web-security@w3.org > March 2012

question regarding client handling of Content-Security-Policy and Content-Security-Policy-Report-Only

From: Tobias Gondrom <tobias.gondrom@gondrom.org>
Date: Sat, 24 Mar 2012 10:05:46 +0000
Message-ID: <4F6D9C7A.4060505@gondrom.org>
To: public-web-security@w3.org
Hello,

very nice progress with the CSP and looking forward to this.

A small comment.
(In case it's already been dealt with, please my apologies for missing it):

regarding section 3.1.2 Content-Security-Policy-Report-Only Header Field 
says:
"If a server supplies at least one Content-Security-Policy-Report-Only 
header field in an HTTP response, the server must not supply any 
Content-Security-Policy header fields."

It does not state what the client MUST do in case of receiving this 
combination.

I would assume, something like:
"A server MUST NOT provide Content-Security-Policy header field(s) and 
Content-Security-Policy-Report-Only header field(s) in the same HTTP 
response.  If a client received both header fields in a response, it 
MUST discard all Content-Security-Policy-Report-Only header fields and 
MUST enforce the Content-Security-Policy header field.  A warning SHOULD 
be send to the report URI as specified in the Content-Security-Policy, 
if the report address is specified."
Would that be a correct assumption?


And on a personal note: I wonder whether it may be useful to stress more 
that it would be strongly recommended to use TLS/SSL channel protection 
for CSP headers to protect their integrity (as with plain http MitM can 
not only read the channel but by injecting a different CSP-header could 
potentially abuse CSP-reporting functionality? What do you think?

Best regards,

Tobias
(ietf websec)


Tobias Gondrom
email: tobias.gondrom@gondrom.org
mobile: +447521003005
Received on Saturday, 24 March 2012 10:06:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 24 March 2012 10:06:12 GMT