[CSP2] Number of CSP Header Fields from Stefan Ossendorf on 2015-04-02 (public-webappsec@w3.org from April 2015)

From: Stefan Ossendorf <stefan.ossendorf@outlook.de>
Date: Thu, 2 Apr 2015 23:06:38 +0200
To: <public-webappsec@w3.org>
Message-ID: <DUB113-DS21584504BA9DF95115C9FE2F20@phx.gbl>

Hello,

 

I have a question about the Header Field.

I'm referring to
http://www.w3.org/TR/CSP2/#content-security-policy-header-field

 

First statement:

"A server MUST NOT send more than one HTTP header field named
Content-Security-Policy with a given resource representation."

 

According to RFC 2119 (https://www.ietf.org/rfc/rfc2119.txt) it's prohibited
to send more than one header field.

But the last statement says:

"Upon receiving an HTTP response containing at least one
Content-Security-Policy header field, the user agent MUST enforce each of
the policies contained in each such header field."

 

At least one? The first statement is really clear?

 

 

Thank you

Stefan Ossendorf

Received on Thursday, 2 April 2015 21:07:07 UTC