- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 4 May 2012 11:09:04 -0700
- To: "Hill, Brad" <bhill@paypal-inc.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Veditz <dveditz@mozilla.com>
I guess it depends, in part, on how we expect new directives to be introduced. For example, suppose I want to get some implementation experience with the script-nonce directive while CSP 1.1 is still being discussed in this working group. Should I implement it in Content-Security-Policy? Should I only recognize it in the X-WebKit-CSP header until it's the working group has agreed that it's stable? Adam On Fri, May 4, 2012 at 11:01 AM, Hill, Brad <bhill@paypal-inc.com> wrote: > My intuition here is to treat vendor-prefixed headers the way we proposed treating the META tag in 1.1: ignore them if an un-prefixed "Content-Security-Policy" header is present. > > Some early adopters may want to send both or will continue sending the vendor-prefixed versions to support older browsers, but I don't think this pattern is actually indicating the intent to combine policy semantics, (what the default-src 'none' behavior tries to protect against) but instead trying to communicate a single policy through multiple channels. > > -Brad > >> -----Original Message----- >> From: Adam Barth [mailto:w3c@adambarth.com] >> Sent: Friday, May 04, 2012 10:37 AM >> To: public-webappsec@w3.org >> Cc: Daniel Veditz >> Subject: Multiple Content-Security-Policy headers >> >> At the face-to-face meeting, we discussed what to do when the user agent >> receives multiple Content-Security-Policy headers. At the meeting, we >> discussed enforcing default-src 'none' as the policy in that case in order to >> fail in an obnoxious way that the developer is likely to notice. >> >> During the test jam, and I noticed that all the tests used the following >> pattern: >> >> Content-Security-Policy: <insert policy here> >> X-Content-Security-Policy: <insert policy here> >> X-WebKit-CSP: <insert policy here> >> >> Do we really want to enforce default-src 'none' in this case too? >> That doesn't seem like the right thing to do. Perhaps we ought to just >> enforce all the policies after all. >> >> Adam >
Received on Friday, 4 May 2012 18:10:09 UTC