- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 02 Oct 2009 16:21:52 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
Hi, I'm looking at <https://wiki.mozilla.org/Security/CSP/Spec> and find...: -- cut -- X-Content-Security-Policy: allow *; script-src 'self' X-Content-Security-Policy: allow *; script-src 'self'; media-src 'self'; -- cut -- (<https://wiki.mozilla.org/Security/CSP/Spec#Sample_Policy_Definitions>) This violates the HTTP rules for header fields; see <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.2.p.5>: "Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]." BR, Julian
Received on Friday, 2 October 2009 14:22:35 UTC