W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: Multiple Content-Security-Policy headers

From: Giorgio Maone <g.maone@informaction.com>
Date: Fri, 04 May 2012 20:08:30 +0200
Message-ID: <4FA41B1E.5060502@informaction.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-webappsec@w3.org, Daniel Veditz <dveditz@mozilla.com>
On 04/05/2012 19:37, Adam Barth wrote:
> what to do when the user
> agent receives multiple Content-Security-Policy headers.  At the
> meeting, we discussed enforcing default-src 'none' as the policy in
> that case in order to fail in an obnoxious way that the developer is
> likely to notice.
> 
> During the test jam, and I noticed that all the tests used the
> following pattern:
> 
> Content-Security-Policy: <insert policy here>
> X-Content-Security-Policy: <insert policy here>
> X-WebKit-CSP: <insert policy here>
> 
> Do we really want to enforce default-src 'none' in this case too?
> That doesn't seem like the right thing to do.  Perhaps we ought to
> just enforce all the policies after all.


Or enforce the first one we can recognize, but if we find more than one
of the same "variant" (e.g. two X-WebKit-CSP) *then* fail hard? Wouldn't
this allow graceful degradation patterns with prefixed headers, but
still help authors to cleanup bogus configurations?

-- G
Received on Friday, 4 May 2012 18:15:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 May 2012 18:15:40 GMT