Re: Multiple Content-Security-Policy headers

On 04/05/2012 19:37, Adam Barth wrote:
> what to do when the user
> agent receives multiple Content-Security-Policy headers.  At the
> meeting, we discussed enforcing default-src 'none' as the policy in
> that case in order to fail in an obnoxious way that the developer is
> likely to notice.
> 
> During the test jam, and I noticed that all the tests used the
> following pattern:
> 
> Content-Security-Policy: <insert policy here>
> X-Content-Security-Policy: <insert policy here>
> X-WebKit-CSP: <insert policy here>
> 
> Do we really want to enforce default-src 'none' in this case too?
> That doesn't seem like the right thing to do.  Perhaps we ought to
> just enforce all the policies after all.


Or enforce the first one we can recognize, but if we find more than one
of the same "variant" (e.g. two X-WebKit-CSP) *then* fail hard? Wouldn't
this allow graceful degradation patterns with prefixed headers, but
still help authors to cleanup bogus configurations?

-- G

Received on Friday, 4 May 2012 18:15:40 UTC