W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: CSP and comma-separated directives

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 8 Jan 2013 14:36:16 -0800
Message-ID: <CAJE5ia-LbttomjM55BpexcQnxOmJSoh4kBDXoiLZ9jW5j+Vvtg@mail.gmail.com>
To: Yoav Weiss <yoav@yoav.ws>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
The header is first split on , and then each of the comma-separated
values are interpreted as if they were sent in separate
Content-Security-Policy headers:

https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#content-security-policy-header-field

"Content-Security-Policy:" 1#policy

The 1#policy means 1 or more comma separated policies.

Adam


On Tue, Jan 8, 2013 at 7:55 AM, Yoav Weiss <yoav@yoav.ws> wrote:
> Since section 3.1.1 permits sending multiple CSP headers, according to RFC
> 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2), the
> following should be semantically equivalent:
>     Content-Security-Policy: script-src http://bla.com
>     Content-Security-Policy: default-src http://bla.org
>     Content-Security-Policy: script-src http://bla.com/blabla
> and
>     Content-Security-Policy: script-src http://bla.com, default-src
> http://bla.org, script-src http://bla.com/blabla
>
> Such HTTP header merging can be done by an HTTP proxy.
>
> That raises a couple of questions:
> 1. How does the specification deal with delimiting commas (and the lack of
> delimiting semi-colons)?
> 2. Do several CSP headers create a single CSP policy, or multiple ones?
>
> From sections 3.1.1 and 3.2.1, I understand that each HTTP header creates a
> separate CSP policy, and a delimiting semi-colon must be present.
>
> If I understand correctly, while the 3 separate CSP headers create 3 CSP
> policies which will be applied with an "and" relationship, the merged CSP
> header, assuming it will become valid(e.g. by allowing delimiting commas),
> will ignore the second script-src directive.
>
> That means that HTTP header merging will lead to different policies being
> applied.
>
> Am I missing something?
>
> Yoav
Received on Tuesday, 8 January 2013 22:37:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2013 22:37:17 GMT