W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: Multiple Content-Security-Policy headers

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 07 May 2012 11:08:16 -0700
Message-ID: <4FA80F90.1040009@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-webappsec@w3.org
On 5/4/12 10:37 AM, Adam Barth wrote:
> During the test jam, and I noticed that all the tests used the
> following pattern:
> 
> Content-Security-Policy: <insert policy here>
> X-Content-Security-Policy: <insert policy here>
> X-WebKit-CSP: <insert policy here>
> 
> Do we really want to enforce default-src 'none' in this case too?
> That doesn't seem like the right thing to do.  Perhaps we ought to
> just enforce all the policies after all.

How do you enforce "all" the policies if they are different? Unless
you're reintroducing policy intersecting you still have to pick
whether you're going to follow one or the other.

-Dan Veditz
Received on Monday, 7 May 2012 18:09:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 May 2012 18:09:02 GMT