Re: CSP syntax

On 2/2/11 10:18 PM, Terri Oda wrote:
> Content-Security-Policy: {
>     script-src:,;
> }

One warning about commas -- should there be two headers with the
same name it's permissible for proxies to combine them into one,
separated by a comma.

>From RFC 2616 section 4.2

   It MUST be possible to combine the multiple header fields into
   one "field-name: field-value" pair, without changing the
   semantics of the message, by appending each subsequent
   field-value to the first, each separated by a comma.

I don't know if any proxies commonly do this, but it's permissible.
AFAIK there's no provision for -splitting- headers on commas so your
syntax is still OK as long as you allow for the possibility of "{
policy }, { another header's worth }"

The Mozilla CSP spec avoids commas for this reason, using ';' as
delimiters. That way we can split on a comma if found and then
intersect the two policies (tightening restrictions). Otherwise
there might be a rare attack where if you found a potential victim
on a path with a proxy that does that kind of coalescing AND could
inject a second header then you could disable or weaken the CSP
policy for that site.

-Dan Veditz

Received on Thursday, 3 February 2011 18:07:27 UTC