- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 7 May 2012 15:36:22 -0700
- To: Tanvi Vyas <tanvi@mozilla.com>
- Cc: public-webappsec@w3.org
On Mon, May 7, 2012 at 3:29 PM, Tanvi Vyas <tanvi@mozilla.com> wrote: > On 5/7/12 11:37 AM, Adam Barth wrote: >> An action is allowed only if that action is allowed by all the policies. >> >> More technically, all the requirements for enforcing CSP directives >> are phrased in terms of forbidding the user agent from doing certain >> things (e.g., executing inline scripts). To enforce multiple >> policies, we just forbid the user agent from doing all of the things >> forbidden by any of the policies. >> >> > From any implementation point of view, you can just keep a list of all >> the policies you want to enforce. To determine whether an action is >> allowed, you just loop over all the policies and check that none of >> them forbid it. I don't think there's any need to materialize a >> combined policy, which is what was so complicated about the previous >> definition of policy combination. > > One policy might whitelist foo.com while another may not. According to > Adam's proposal, we'd go through both policies. Once we realize one does > not allow it, we forbid it. This will take extra time to parse the policies > and extra implementation work for the browsers. > > Instead, what if we set precedence for different types of headers. If > firefox see's Content-Security-Policy and X-Content-Security-Policy, it > ignores X-Content-Security-Policy. If Webkit sees Content-Security-Policy > and X-WebKit-CSP, it ignores X-WebKit-CSP. If either browser see's two of > the same headers (2 Content-Security-Policy, 2 X-Content-Security-Policy, or > 2 X-Webkit-CSP), set the policy to default-src 'none'. I'd rather not spec what implementations should do with vendor-prefixed headers, if we can avoid it. I guess I was mistaken. I thought you and dveditz preferred that the user agent combined multiple policies. If you and Dan would prefer that multiple Content-Security-Policy headers cause the user agent to enforce default-src 'none', I'm happy to update the spec to require that. Adam
Received on Monday, 7 May 2012 22:37:24 UTC