W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: CSP 1.0

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 07 May 2012 18:25:36 -0700
Message-ID: <4FA87610.3040406@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-webappsec@w3.org
I'm having trouble reconciling 2 and 3 (text below with minor deletions)

On 5/7/12 1:54 AM, Adam Barth wrote:
> 2) Somewhat more controversially, I've changed the behavior when the
> user agent receives more than one policy.  At the face-to-face, we
> discussed having the user agent enforce a policy of default-src 'none'
> in this case, but during the test jam, I realized that user agents are
> going to need to implement policy combination anyway to deal with
> vendor prefixes.
> 
> 3) As discussed at the face-to-face, the spec now requires user agents
> to enforce the policy default-src 'none' if they encounter a CSP
> policy with a comma:
> 
> Such a policy is likely the result of network intermediaries mangling
> the policy.

A policy with a comma is more likely the result of a network
combining two separate policies according to the HTTP spec. If we're
OK combining headers when received separately--which I am!--why
punish sites if a proxy takes what would be an acceptable set of
headers and transforms them in a predictable way?

It would be more consistent to specify that headers should be split
on commas and then combined as in 2).  Saying that both cases should
be default-src 'none' would be equally consistent, but might
discourage adoption of CSP if sites broke unpredictably.

-Dan Veditz
Received on Tuesday, 8 May 2012 01:26:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 May 2012 01:26:21 GMT