- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 03 Feb 2011 10:06:46 -0800
- To: Terri Oda <terri@zone12.com>
- CC: public-web-security@w3.org
On 2/2/11 10:18 PM, Terri Oda wrote:
> Content-Security-Policy: {
> script-src: example.com, paypalobjects.com;
> }
One warning about commas -- should there be two headers with the
same name it's permissible for proxies to combine them into one,
separated by a comma.
>From RFC 2616 section 4.2
It MUST be possible to combine the multiple header fields into
one "field-name: field-value" pair, without changing the
semantics of the message, by appending each subsequent
field-value to the first, each separated by a comma.
I don't know if any proxies commonly do this, but it's permissible.
AFAIK there's no provision for -splitting- headers on commas so your
syntax is still OK as long as you allow for the possibility of "{
policy }, { another header's worth }"
The Mozilla CSP spec avoids commas for this reason, using ';' as
delimiters. That way we can split on a comma if found and then
intersect the two policies (tightening restrictions). Otherwise
there might be a rare attack where if you found a potential victim
on a path with a proxy that does that kind of coalescing AND could
inject a second header then you could disable or weaken the CSP
policy for that site.
-Dan Veditz
Received on Thursday, 3 February 2011 18:07:27 UTC