W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: CSP 1.0

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 08 May 2012 10:51:21 -0700
Message-ID: <4FA95D19.3090904@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-webappsec@w3.org
On 5/7/12 6:37 PM, Adam Barth wrote:
> IMHO, this question boils down to whether servers are permitted to
> send multiple Content-Security-Policy header fields.  Currently the
> spec forbids them from doing so.  If we did permit servers to send
> multiple Content-Security-Policy header fields, then I'd agree with
> you that splitting on "," and enforcing both policies would make
> sense.  (Note: The spec does instruct user agents how to behave if
> they do receive multiple Content-Security-Policy header fields, but
> that's a separate concern.)

How can it be a separate concern? If the server is forbidden from
sending a second header where did the second header that the spec
instructs the UA to handle come from? If a proxy has combined two
headers (as evidenced by a comma) how do we know the extra one
wasn't one of these apparently legitimate ones?

If servers are forbidden from sending two headers then two headers
may be a sign of an attack, justifying a hard-line response (no
combining, comma equals death). If it's at all reasonable to combine
headers why is one kind of combining OK and the other not?

I personally prefer combining and I can live with a hard-line "only
one header" rule, but I don't like an inconsistent mix of the two.

-Dan Veditz
Received on Tuesday, 8 May 2012 17:52:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 May 2012 17:52:05 GMT