Re: CSP 1.0

On 5/7/12 6:37 PM, Adam Barth wrote:
> IMHO, this question boils down to whether servers are permitted to
> send multiple Content-Security-Policy header fields.  Currently the
> spec forbids them from doing so.  If we did permit servers to send
> multiple Content-Security-Policy header fields, then I'd agree with
> you that splitting on "," and enforcing both policies would make
> sense.  (Note: The spec does instruct user agents how to behave if
> they do receive multiple Content-Security-Policy header fields, but
> that's a separate concern.)

How can it be a separate concern? If the server is forbidden from
sending a second header where did the second header that the spec
instructs the UA to handle come from? If a proxy has combined two
headers (as evidenced by a comma) how do we know the extra one
wasn't one of these apparently legitimate ones?

If servers are forbidden from sending two headers then two headers
may be a sign of an attack, justifying a hard-line response (no
combining, comma equals death). If it's at all reasonable to combine
headers why is one kind of combining OK and the other not?

I personally prefer combining and I can live with a hard-line "only
one header" rule, but I don't like an inconsistent mix of the two.

-Dan Veditz

Received on Tuesday, 8 May 2012 17:52:04 UTC