Multiple Content-Security-Policy headers

At the face-to-face meeting, we discussed what to do when the user
agent receives multiple Content-Security-Policy headers.  At the
meeting, we discussed enforcing default-src 'none' as the policy in
that case in order to fail in an obnoxious way that the developer is
likely to notice.

During the test jam, and I noticed that all the tests used the
following pattern:

Content-Security-Policy: <insert policy here>
X-Content-Security-Policy: <insert policy here>
X-WebKit-CSP: <insert policy here>

Do we really want to enforce default-src 'none' in this case too?
That doesn't seem like the right thing to do.  Perhaps we ought to
just enforce all the policies after all.

Adam

Received on Friday, 4 May 2012 17:38:19 UTC