Re: Multiple Content-Security-Policy headers

On Mon, May 7, 2012 at 11:08 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 5/4/12 10:37 AM, Adam Barth wrote:
>> During the test jam, and I noticed that all the tests used the
>> following pattern:
>>
>> Content-Security-Policy: <insert policy here>
>> X-Content-Security-Policy: <insert policy here>
>> X-WebKit-CSP: <insert policy here>
>>
>> Do we really want to enforce default-src 'none' in this case too?
>> That doesn't seem like the right thing to do.  Perhaps we ought to
>> just enforce all the policies after all.
>
> How do you enforce "all" the policies if they are different? Unless
> you're reintroducing policy intersecting you still have to pick
> whether you're going to follow one or the other.

An action is allowed only if that action is allowed by all the policies.

More technically, all the requirements for enforcing CSP directives
are phrased in terms of forbidding the user agent from doing certain
things (e.g., executing inline scripts).  To enforce multiple
policies, we just forbid the user agent from doing all of the things
forbidden by any of the policies.

>From any implementation point of view, you can just keep a list of all
the policies you want to enforce.  To determine whether an action is
allowed, you just loop over all the policies and check that none of
them forbid it.  I don't think there's any need to materialize a
combined policy, which is what was so complicated about the previous
definition of policy combination.

Adam

Received on Monday, 7 May 2012 18:39:24 UTC