- From: Tanvi Vyas <tanvi@mozilla.com>
- Date: Mon, 07 May 2012 15:29:46 -0700
- To: public-webappsec@w3.org
On 5/7/12 11:37 AM, Adam Barth wrote: > An action is allowed only if that action is allowed by all the policies. > > More technically, all the requirements for enforcing CSP directives > are phrased in terms of forbidding the user agent from doing certain > things (e.g., executing inline scripts). To enforce multiple > policies, we just forbid the user agent from doing all of the things > forbidden by any of the policies. > > > From any implementation point of view, you can just keep a list of all > the policies you want to enforce. To determine whether an action is > allowed, you just loop over all the policies and check that none of > them forbid it. I don't think there's any need to materialize a > combined policy, which is what was so complicated about the previous > definition of policy combination. > > Adam > One policy might whitelist foo.com while another may not. According to Adam's proposal, we'd go through both policies. Once we realize one does not allow it, we forbid it. This will take extra time to parse the policies and extra implementation work for the browsers. Instead, what if we set precedence for different types of headers. If firefox see's Content-Security-Policy and X-Content-Security-Policy, it ignores X-Content-Security-Policy. If Webkit sees Content-Security-Policy and X-WebKit-CSP, it ignores X-WebKit-CSP. If either browser see's two of the same headers (2 Content-Security-Policy, 2 X-Content-Security-Policy, or 2 X-Webkit-CSP), set the policy to default-src 'none'. ~Tanvi
Received on Monday, 7 May 2012 22:30:20 UTC