- From: Giorgio Maone <g.maone@informaction.com>
- Date: Fri, 04 May 2012 20:08:30 +0200
- To: Adam Barth <w3c@adambarth.com>
- CC: public-webappsec@w3.org, Daniel Veditz <dveditz@mozilla.com>
On 04/05/2012 19:37, Adam Barth wrote: > what to do when the user > agent receives multiple Content-Security-Policy headers. At the > meeting, we discussed enforcing default-src 'none' as the policy in > that case in order to fail in an obnoxious way that the developer is > likely to notice. > > During the test jam, and I noticed that all the tests used the > following pattern: > > Content-Security-Policy: <insert policy here> > X-Content-Security-Policy: <insert policy here> > X-WebKit-CSP: <insert policy here> > > Do we really want to enforce default-src 'none' in this case too? > That doesn't seem like the right thing to do. Perhaps we ought to > just enforce all the policies after all. Or enforce the first one we can recognize, but if we find more than one of the same "variant" (e.g. two X-WebKit-CSP) *then* fail hard? Wouldn't this allow graceful degradation patterns with prefixed headers, but still help authors to cleanup bogus configurations? -- G
Received on Friday, 4 May 2012 18:15:40 UTC