W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: Multiple Content-Security-Policy headers

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 7 May 2012 15:36:22 -0700
Message-ID: <CAJE5ia94_wt1k9opXybMhBMSTsAxNT+bqropV3NXnwMYRVe=mw@mail.gmail.com>
To: Tanvi Vyas <tanvi@mozilla.com>
Cc: public-webappsec@w3.org
On Mon, May 7, 2012 at 3:29 PM, Tanvi Vyas <tanvi@mozilla.com> wrote:
> On 5/7/12 11:37 AM, Adam Barth wrote:
>> An action is allowed only if that action is allowed by all the policies.
>>
>> More technically, all the requirements for enforcing CSP directives
>> are phrased in terms of forbidding the user agent from doing certain
>> things (e.g., executing inline scripts).  To enforce multiple
>> policies, we just forbid the user agent from doing all of the things
>> forbidden by any of the policies.
>>
>> > From any implementation point of view, you can just keep a list of all
>> the policies you want to enforce.  To determine whether an action is
>> allowed, you just loop over all the policies and check that none of
>> them forbid it.  I don't think there's any need to materialize a
>> combined policy, which is what was so complicated about the previous
>> definition of policy combination.
>
> One policy might whitelist foo.com while another may not.  According to
> Adam's proposal, we'd go through both policies.  Once we realize one does
> not allow it, we forbid it.  This will take extra time to parse the policies
> and extra implementation work for the browsers.
>
> Instead, what if we set precedence for different types of headers.  If
> firefox see's Content-Security-Policy and X-Content-Security-Policy, it
> ignores X-Content-Security-Policy.  If Webkit sees Content-Security-Policy
> and X-WebKit-CSP, it ignores X-WebKit-CSP.  If either browser see's two of
> the same headers (2 Content-Security-Policy, 2 X-Content-Security-Policy, or
> 2 X-Webkit-CSP), set the policy to default-src 'none'.

I'd rather not spec what implementations should do with
vendor-prefixed headers, if we can avoid it.

I guess I was mistaken.  I thought you and dveditz preferred that the
user agent combined multiple policies.  If you and Dan would prefer
that multiple Content-Security-Policy headers cause the user agent to
enforce default-src 'none', I'm happy to update the spec to require
that.

Adam
Received on Monday, 7 May 2012 22:37:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 May 2012 22:37:26 GMT