W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: Multiple Content-Security-Policy headers

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Mon, 07 May 2012 15:29:46 -0700
Message-ID: <4FA84CDA.2040208@mozilla.com>
To: public-webappsec@w3.org
On 5/7/12 11:37 AM, Adam Barth wrote:
> An action is allowed only if that action is allowed by all the policies.
>
> More technically, all the requirements for enforcing CSP directives
> are phrased in terms of forbidding the user agent from doing certain
> things (e.g., executing inline scripts).  To enforce multiple
> policies, we just forbid the user agent from doing all of the things
> forbidden by any of the policies.
>
> > From any implementation point of view, you can just keep a list of all
> the policies you want to enforce.  To determine whether an action is
> allowed, you just loop over all the policies and check that none of
> them forbid it.  I don't think there's any need to materialize a
> combined policy, which is what was so complicated about the previous
> definition of policy combination.
>
> Adam
>
One policy might whitelist foo.com while another may not.  According to 
Adam's proposal, we'd go through both policies.  Once we realize one 
does not allow it, we forbid it.  This will take extra time to parse the 
policies and extra implementation work for the browsers.

Instead, what if we set precedence for different types of headers.  If 
firefox see's Content-Security-Policy and X-Content-Security-Policy, it 
ignores X-Content-Security-Policy.  If Webkit sees 
Content-Security-Policy and X-WebKit-CSP, it ignores X-WebKit-CSP.  If 
either browser see's two of the same headers (2 Content-Security-Policy, 
2 X-Content-Security-Policy, or 2 X-Webkit-CSP), set the policy to 
default-src 'none'.

~Tanvi
Received on Monday, 7 May 2012 22:30:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 May 2012 22:30:22 GMT