- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 7 May 2012 11:37:48 -0700
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: public-webappsec@w3.org
On Mon, May 7, 2012 at 11:08 AM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 5/4/12 10:37 AM, Adam Barth wrote: >> During the test jam, and I noticed that all the tests used the >> following pattern: >> >> Content-Security-Policy: <insert policy here> >> X-Content-Security-Policy: <insert policy here> >> X-WebKit-CSP: <insert policy here> >> >> Do we really want to enforce default-src 'none' in this case too? >> That doesn't seem like the right thing to do. Perhaps we ought to >> just enforce all the policies after all. > > How do you enforce "all" the policies if they are different? Unless > you're reintroducing policy intersecting you still have to pick > whether you're going to follow one or the other. An action is allowed only if that action is allowed by all the policies. More technically, all the requirements for enforcing CSP directives are phrased in terms of forbidding the user agent from doing certain things (e.g., executing inline scripts). To enforce multiple policies, we just forbid the user agent from doing all of the things forbidden by any of the policies. >From any implementation point of view, you can just keep a list of all the policies you want to enforce. To determine whether an action is allowed, you just loop over all the policies and check that none of them forbid it. I don't think there's any need to materialize a combined policy, which is what was so complicated about the previous definition of policy combination. Adam
Received on Monday, 7 May 2012 18:39:24 UTC