Re: Multiple Content-Security-Policy headers

On 5/7/12 3:36 PM, Adam Barth wrote:
> On Mon, May 7, 2012 at 3:29 PM, Tanvi Vyas <tanvi@mozilla.com> wrote:
>> Instead, what if we set precedence for different types of headers.  If
>> firefox see's Content-Security-Policy and X-Content-Security-Policy, it
>> ignores X-Content-Security-Policy.  If Webkit sees Content-Security-Policy
>> and X-WebKit-CSP, it ignores X-WebKit-CSP.  If either browser see's two of
>> the same headers (2 Content-Security-Policy, 2 X-Content-Security-Policy, or
>> 2 X-Webkit-CSP), set the policy to default-src 'none'.
> 
> I'd rather not spec what implementations should do with
> vendor-prefixed headers, if we can avoid it.
> 
> I guess I was mistaken.  I thought you and dveditz preferred that the
> user agent combined multiple policies.  If you and Dan would prefer
> that multiple Content-Security-Policy headers cause the user agent to
> enforce default-src 'none', I'm happy to update the spec to require
> that.

We definitely prefer combined policies; it seems far more useful
than default-src 'none'. Whether you apply each in series or try to
intersect them for performance reasons is an implementation detail
that should lead to the same result. We're fine having it specified
that clients should behave "as if" they were combined that way.

Whether the standard header should obsolete any experimental ones or
combine with it is a separate issue and was the main thrust of
Tanvi's mail. I've been assuming we'd obsolete the
experimental/prefixed versions but you're not wrong that it might be
useful for experimentation with future features. Probably better
than prefixed directives, anyway.

-Dan Veditz

Received on Tuesday, 8 May 2012 01:08:37 UTC