W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

CSP and comma-separated directives

From: Yoav Weiss <yoav@yoav.ws>
Date: Tue, 8 Jan 2013 16:55:38 +0100
Message-ID: <CACj=BEh2d-ABP6yC=uiRg1o18CwKAxCuDBAvUEbBH=561aaBUQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Since section 3.1.1 permits sending multiple CSP headers, according to RFC
2616 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2), the
following should be semantically equivalent:
    Content-Security-Policy: script-src http://bla.com
    Content-Security-Policy: default-src http://bla.org
    Content-Security-Policy: script-src http://bla.com/blabla
and
    Content-Security-Policy: script-src http://bla.com, default-src
http://bla.org, script-src http://bla.com/blabla

Such HTTP header merging can be done by an HTTP proxy.

That raises a couple of questions:
1. How does the specification deal with delimiting commas (and the lack of
delimiting semi-colons)?
2. Do several CSP headers create a single CSP policy, or multiple ones?

>From sections 3.1.1 and 3.2.1, I understand that each HTTP header creates a
separate CSP policy, and a delimiting semi-colon must be present.

If I understand correctly, while the 3 separate CSP headers create 3 CSP
policies which will be applied with an "and" relationship, the merged CSP
header, assuming it will become valid(e.g. by allowing delimiting commas),
will ignore the second script-src directive.

That means that HTTP header merging will lead to different policies being
applied.

Am I missing something?

Yoav
Received on Tuesday, 8 January 2013 15:56:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2013 15:56:07 GMT