proposed text for combining policies

Advice to server operators on combining policies:

The Content-Security-Policy header is an end-to-end header.  It is processed and enforced at the client and so SHOULD NOT be modified or removed by proxies or other intermediaries not in the same administrative domain as the resource.
The originating administrative domain for a resource may wish to apply a Content-Security-Policy header outside of the immediate context of an application.  For example, a large organization may have many resources and applications managed by different individuals or teams but all subject to a uniform organizational standard. In such situations, a Content Security Policy might be added or combined with an existing one at a network-edge security gateway device or web application firewall.  For this scenario it is important to remember that only the first policy statement found by the user agent will be enforced.  Multiple policies must be combined into a single header, and the logic to do so will be contingent on the intended semantics.
A "defense-in-depth" policy combination logic might start by applying a default set of allowed sources but also allowing individual upstream resource owners to expand the allowed scope by adding additional allowed origins.  In this, case combination logic would use the union of all allowed origins in the combined policy.
Different combination logic might be intended to enforce that content may only come from certain origins, for example, to prevent developers from including third-party scripts or content in violation of organizational standards and practices.  In this case, combination logic would have to remove any disallowed hosts from policies supplied by upstream resource owners when forming the resultant content security policy statement.
Interactions between the default-src and other directives must be given special consideration when combining policies.  If neither policy contains a default-src directive, adding new src directives will always make a policy more restrictive.  If either or both policies contain a default-src directive, adding new src directives can make a policy less restrictive, if the more specific directive contains a larger set of allowed origins.
Applying a more restrictive combined policy than the one set by the resource owner may cause the resource to not render or function as intended.
A given policy may have only one report-uri, so policy combination logic must choose which to use if policies to be combined specify different uris.



Brad Hill
Sr. MTS, Internet Standards and Governance
PayPal Information Risk Management
cell: 206.245.7844 / skype: hillbrad
email: bhill@paypal-inc.com

Received on Wednesday, 2 May 2012 17:43:10 UTC