- From: Thomas Broyer <t.broyer@gmail.com>
- Date: Fri, 2 Oct 2009 17:52:34 +0200
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Oct 2, 2009 at 4:21 PM, Julian Reschke <julian.reschke@gmx.de> wrote: > Hi, > > I'm looking at <https://wiki.mozilla.org/Security/CSP/Spec> and find...: > > -- cut -- > X-Content-Security-Policy: allow *; script-src 'self' > X-Content-Security-Policy: allow *; script-src 'self'; media-src 'self'; > -- cut -- > > (<https://wiki.mozilla.org/Security/CSP/Spec#Sample_Policy_Definitions>) > > This violates the HTTP rules for header fields; see > <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.2.p.5>: > > "Multiple message-header fields with the same field-name MAY be present in a > message if and only if the entire field-value for that header field is > defined as a comma-separated list [i.e., #(values)]." Well, given that the syntax for the header isn't clearly defined, I wouldn't say that its a violation (define its value as #(<policy>) and you're done) The issue would more be that <fv-char> (used in <future-value>) and, AFAICT, URI allow commas, unescaped and outside quoted strings or similar delimiting constructs; which makes splitting on comma difficult (splitting on /,\s*allow\s/ should work if i'm reading things correctly, unless a <future-value> contains such a string...) -- Thomas Broyer /tɔ.ma.bʁwa.je/
Received on Friday, 2 October 2009 15:53:09 UTC