W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: CSP and comma-separated directives

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 08 Jan 2013 09:25:07 -0800
Message-ID: <50EC5673.9040601@mozilla.com>
To: Yoav Weiss <yoav@yoav.ws>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 1/8/2013 7:55 AM, Yoav Weiss wrote:
> That raises a couple of questions: 1. How does the specification deal
> with delimiting commas (and the lack of delimiting semi-colons)? 2.
> Do several CSP headers create a single CSP policy, or multiple ones?

The spec doesn't seem to say what to do in that case. The Mozilla
implementation first splits the header(s) on commas to reconstruct the
assumed-merged multiple headers before applying the parsing rules for
individual headers.

> the merged CSP header, assuming it will become valid(e.g. by allowing
> delimiting commas), will ignore the second script-src directive.

Taken literally the existing spec would treat that as a single 
badly-formed script-src directive that included the hosts "default-src" 
and "script-src". Splitting merged headers on comma seems to be assumed.

-Dan Veditz
Received on Tuesday, 8 January 2013 17:25:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2013 17:25:41 GMT