W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Multiple Content-Security-Policy headers

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 4 May 2012 10:37:16 -0700
Message-ID: <CAJE5ia9X6m+w0uQ5GWCHVb6fDEpYEL3k1ek9WCsXk_2dF7Pk_Q@mail.gmail.com>
To: public-webappsec@w3.org
Cc: Daniel Veditz <dveditz@mozilla.com>
At the face-to-face meeting, we discussed what to do when the user
agent receives multiple Content-Security-Policy headers.  At the
meeting, we discussed enforcing default-src 'none' as the policy in
that case in order to fail in an obnoxious way that the developer is
likely to notice.

During the test jam, and I noticed that all the tests used the
following pattern:

Content-Security-Policy: <insert policy here>
X-Content-Security-Policy: <insert policy here>
X-WebKit-CSP: <insert policy here>

Do we really want to enforce default-src 'none' in this case too?
That doesn't seem like the right thing to do.  Perhaps we ought to
just enforce all the policies after all.

Adam
Received on Friday, 4 May 2012 17:38:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 May 2012 17:38:20 GMT